Re: Regretable Forking of linux

The Natural Philosopher <tnp@xxxxxxxxxxxxxxx> writes:

Keith Keller wrote:
On 2010-09-28, Aragorn <aragorn@xxxxxxxxxxxxxxxxxxx> wrote:
On Monday 27 September 2010 23:25 in comp.os.linux.misc, somebody
identifying as Keith Keller wrote...
I think this is not such a great idea. What if everyone in the wheel
group forgets their password? Or the groups file gets damaged (e.g.,
someone in wheel does sudo rm /etc/group)? Now you're forced to
reboot single-user or from external media, just to gain root
privileges?
Well, I am the only one in the "wheel" group, so the chances to that are
very small. ;-)

I disagree--it's potentially very easy to forget which password you've
used where, or to forget to enter a new password into whatever you use
to track passwords. Or, in this case, you could potentially mess up
your entry in /etc/passwd or /etc/shadow.

It's not so much a matter of paranoia as it is a matter of
principle. Root /can/ still log in if the system goes down to
runlevel 1 - on my
system, that requires typing the root password or hitting Control+D to
return to the default runlevel, albeit that not every distro is set up
that way - but not in the regular runlevels.

Having to go to runlevel 1 just to be able to log in as root directly
seems really annoying, and doesn't really buy you much in the way of
security. If anyone has physical access to the machine, they can simply
reboot to gain root access, and if you monitor reboots, can certainly
come up with a plausible explanation for why the machine was rebooted.

Note: I don't really like "sudo" all that much either, but it's
convenient. From the security aspect, "su" is safer, though.

I disagree here too--sudo actually logs everything to syslog, whereas su
only logs the su event itself, not the commands executed.

I have never found knowing what was done to be much help in repairing
the damage.

Not being root except for specific things is good enough for me.

I don't like sudo because half the time if there is a problem you need
to do many things as root.

Sudo stops asking for passwords on subsequent invocations
so you only need to keep retyping sudo in front of each new command.

If course you can always:

sudo bash

which is just about the same thing as

su root

except you don't need roots password.
.

Relevant Pages

  • Re: Regretable Forking of linux
    ... What if everyone in the wheel ... Root /can/ still log in if the system goes down to runlevel 1 - on my ... sudo su won't log much either, so if security is a primary concern, one ...
    (comp.os.linux.misc)
  • Re: Card Reader
    ... Running your script ... instead of sudo is worthless because your script *can't do ... And of course it doesn't ask for a root password, ... >> That's just more bullshit Bryan, and you might as well leave ...
    (rec.photo.digital)
  • Re: hi all..
    ... And with sudo, I certainly wouldn't because they already have root. ... If you somehow had access to my account right now, ... install an effective key logger without root. ...
    (Fedora)
  • Re: hi all..
    ... compromise security to achieve it - such as very insecure sudo defaults ... that essentially make any admin group user password a root password. ... IE someone gets your user account password, they can do more than just ...
    (Fedora)
  • Re: [kde-linux] KDE 4 and monitor powering off.
    ... konsole" entry, should run it as the same user (the "terminal" entry ... I changed it so that it would run as root since I have to ... I have sudo configured so my normal user has very limited access (some ... The admin user has full passwordless access to do everything root could ...
    (KDE)