Re: sudo versus #



Hi, Kayven!

On 10/02/2010 21:00, KAYVEN RIESE wrote:
It's my understanding that the sudo command basically executes the
subsequent command as superuser. I fail to see the difference between
having a # prompt logged into superuser and sudo, other than ensuring that
you don't make mistakes, unless having the terminal open can allow
attackers to infiltrate the system? I have been using command line unix
for a long time. I don't make mistakes. What is the real implications of
sudo?

Also, I notice that when Ubuntu gives me those update dialog boxes my root
password doesn't work to allow the installation to go forward. This makes
me irritated, because it instead wants my normal user password, which for
me by design is a weaker password that I use for more things and thus
could be more easily cracked. My root password is longer and I use it for
less things. Both are immune to dictionary attack, but it bothers me the
way this subverts my configuration.


The key issue here is tracability and audit.

If you log in to root, or su to root, once you are root, every command
you type is traced to root. If multiple users su to root at the same
time, nobody really knows which user typed what in particular, and then
as root (whether su or login) you can do ANYTHING without anybody being
able to know who did it.

With sudo, you can trace each command to the individual user who did it.

If user A types "sudo rm -rf /home/userB"... then the system
administrator can trace that command to user A and take appropriate
disciplinary actions.

If user A logs in as root and does "rm -rf /home/userB"... nobody really
knows who logged in as root.

This is critical in multi-user environments. Not as much on a single
user machine. But Linux was designed (just as Unix) for multi-user
environments.

Gilles.

--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users



Relevant Pages

  • Re: [kde] su identification
    ... assumes that you wish to invoke the root account and will demand Root ... A user may ONLY sudo as allowed in the /etc/sudoers ... allowing a command with any parameters ... This config allows my normal user to do whatever he'd normally be able to ...
    (KDE)
  • Re: Clams.....
    ... either by su> password> Kate, ... running in root. ... have you set up sudo? ... the command sudo gedit /etc/filename would ask for the user ...
    (Fedora)
  • Android Superuser shell character escape vulnerability
    ... Vulnerable releases of two common Android Superuser packages may allow ... malicious Android applications to execute arbitrary commands as root, ... on the "am" command line. ...
    (Bugtraq)
  • Re: any way to track commands of a user logged in through ssh
    ... applies _to that command only_. ... the command they want to run with 'sudo', ... I use/run a Shell command that requires 'root' privileges...Especially ... So what do you think about creating a separate 'group' for certain ...
    (comp.os.linux.misc)
  • Re: [opensuse] Re: Should openSUSE review its Security Policies?
    ... We are defining 'command' differently. ... When discussing root permissions, I define commands at the OS level. ... sudo lets me run a complete binary application as a different user. ...
    (SuSE)