Re: Regretable Forking of linux



The Natural Philosopher <tnp@xxxxxxxxxxxxxxx> writes:

Keith Keller wrote:
On 2010-09-28, Aragorn <aragorn@xxxxxxxxxxxxxxxxxxx> wrote:
On Monday 27 September 2010 23:25 in comp.os.linux.misc, somebody
identifying as Keith Keller wrote...
I think this is not such a great idea. What if everyone in the wheel
group forgets their password? Or the groups file gets damaged (e.g.,
someone in wheel does sudo rm /etc/group)? Now you're forced to
reboot single-user or from external media, just to gain root
privileges?
Well, I am the only one in the "wheel" group, so the chances to that are
very small. ;-)

I disagree--it's potentially very easy to forget which password you've
used where, or to forget to enter a new password into whatever you use
to track passwords. Or, in this case, you could potentially mess up
your entry in /etc/passwd or /etc/shadow.

It's not so much a matter of paranoia as it is a matter of
principle. Root /can/ still log in if the system goes down to
runlevel 1 - on my
system, that requires typing the root password or hitting Control+D to
return to the default runlevel, albeit that not every distro is set up
that way - but not in the regular runlevels.

Having to go to runlevel 1 just to be able to log in as root directly
seems really annoying, and doesn't really buy you much in the way of
security. If anyone has physical access to the machine, they can simply
reboot to gain root access, and if you monitor reboots, can certainly
come up with a plausible explanation for why the machine was rebooted.

Note: I don't really like "sudo" all that much either, but it's
convenient. From the security aspect, "su" is safer, though.

I disagree here too--sudo actually logs everything to syslog, whereas su
only logs the su event itself, not the commands executed.

I have never found knowing what was done to be much help in repairing
the damage.

Not being root except for specific things is good enough for me.

I don't like sudo because half the time if there is a problem you need
to do many things as root.

Sudo stops asking for passwords on subsequent invocations
so you only need to keep retyping sudo in front of each new command.

If course you can always:

sudo bash

which is just about the same thing as

su root

except you don't need roots password.
.