On Tue, Aug 07, 2018 at 09:22:07AM -0400, The Wanderer wrote:
Or, rather, that you can do elevated-access things with the same credentials as are used to permit non-elevated access. I consider that to be, by definition, a security hole.
That can be addressed three ways: first, you can have sudo require the root password instead of the user password; second, you can use pam to have sudo require different credentials than the login password; third, you can use pam to have sudo require multi-factor authentication. The configuration that makes the most sense depends heavily on the local environment. I'd personally consider a well-implemented multi-factor scheme to be much more secure (and easier to manage) than discrete root passwords, and much easier to implement safely (including emergency access) using sudo rather than su. I tend to agree that just replacing su with sudo doesn't buy much security and may be a net negative if done carelessly; to really get value from sudo requires a good bit of customization--and it's hard to see a return on that work in a small environment. If the security factors are the same and the workflow is functionally identical except that instead of "su -" someone uses "sudo -s" or prefixes every command with sudo, it seems clearly a matter of preference and muscle memory rather than substance.
Mike Stone