| View previous topic :: View next topic |
| Author |
Message |
humbletech99
Veteran
Joined: 26 May 2005
Posts: 1229
Location: London
|
 Posted: Mon Dec 19, 2005 6:27 pm Post subject: Sudo Vs. Su Vs. Sudo Su |
 |
|
I am torn between how to administer my systems. At home I always su and that's the end of it. At work, my boss insists on sudo or sudo su cos he says it's got better logging.
I believe that su is better from security because 2 passwords are required, whereas with sudo if you get the user level password, you also get root.
Could anyone give me their experiences and knowledge on the pros and cons of each? |
|
| Back to top |
|
 |
oliver
Apprentice
Joined: 25 Jun 2003
Posts: 170
|
| Posted: Mon Dec 19, 2005 6:46 pm Post subject: |
|
|
at work we would lock the root password (on solaris) - i.e. literally run
This was so we didn't have to change root every few months when someone left and we didn't have to maintain multiple passwords. I didn't see any problems with that approach but I'm not sure it's infallible.
Benefits were we could also monitor su to root attempts and know immediately that they weren't supposed to be doing that and sudo had more than enough logging to keep people happy. |
|
| Back to top |
|
|
luisfelipe
Guru
Joined: 09 Apr 2005
Posts: 377
|
| Posted: Mon Dec 19, 2005 6:55 pm Post subject: |
|
|
Also, with sudo you can enable people to run only specific commands. Which is alot better than giving them access to the
entire system as root. Check the man page for sudoers to learn how to use that. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20589
|
| Posted: Mon Dec 19, 2005 7:22 pm Post subject: Re: Sudo Vs. Su Vs. Sudo Su |
|
|
| humbletech99 wrote: | | with sudo if you get the user level password, you also get root. |
sudo can be configured to require the root password. "rootpw If set, sudo will prompt for the root password instead of the password of the invoking user. This flag is off by default."
Moved from Other Things Gentoo.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
zigver
Tux's lil' helper
Joined: 09 May 2003
Posts: 87
|
| Posted: Mon Dec 19, 2005 8:09 pm Post subject: Re: Sudo Vs. Su Vs. Sudo Su |
|
|
| humbletech99 wrote: | | I believe that su is better from security because 2 passwords are required, whereas with sudo if you get the user level password, you also get root. |
sudo is much more powerful than that. You can tailor what commands on what machines various users are able to sudo. It's very flexible. |
|
| Back to top |
|
|
VStrider
Apprentice
Joined: 27 Jun 2005
Posts: 244
Location: 1 to Rule All way, Moria Gate, Middle Earth, SAU 70N
|
| Posted: Mon Dec 19, 2005 10:35 pm Post subject: Re: Sudo Vs. Su Vs. Sudo Su |
|
|
| pjp wrote: | | sudo can be configured to require the root password. "rootpw If set, sudo will prompt for the root password instead of the password of the invoking user. |
Hehe, yeah, but kind of defeats the purpose of sudo though, doesn't it? 
humbletech99, I use sudo for common every day stuff like emerge --sync or emerge -avuD world that I want to run from my user account without typing any passwd. This is safe cause even if someone gets my user passwd, they can run sudo emerge -avuD world but they cannot run sudo emerge -C or anything else. For uncommon stuff I just use su. As another example of sudo, my gf's pc is an old machine that connects to mine as a thin client. I've setup a runlevel called ltsp which starts nfs(if stopped), xinetd/in.tftp, dhcpd etc. Now if I'm not home she can still start the server with sudo /sbin/rc ltsp but she cann't go into another runlevel apart from default and ltsp. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20589
|
| Posted: Mon Dec 19, 2005 11:11 pm Post subject: Re: Sudo Vs. Su Vs. Sudo Su |
|
|
| VStrider wrote: | | pjp wrote: | | sudo can be configured to require the root password. "rootpw If set, sudo will prompt for the root password instead of the password of the invoking user. |
Hehe, yeah, but kind of defeats the purpose of sudo though, doesn't it? |
| humbletech99 wrote: | | I believe that su is better from security because 2 passwords are required, whereas with sudo if you get the user level password, you also get root. |
Depends on your needs I guess.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
humbletech99
Veteran
Joined: 26 May 2005
Posts: 1229
Location: London
|
| Posted: Tue Dec 20, 2005 10:48 am Post subject: |
|
|
we've also disabled the root passwd on our public facing servers and use 'sudo su'.
I understand that sudo is very flexible and you can allocate commands to users etc, although I didn't know you could actually use the root passwd with sudo.
Here if anyone has access to the machine, they're all programmers/admins so we really do just sudo su, hence sudo flexiblity is a little wasted on us....
I think in a way though, the rootpw with sudo does defeat the whole point.
Maybe it's just a matter of preference.
Does anybody know if the default logging is better with sudo su than with su?
I can't imagine that it is (can't test it now either)... |
|
| Back to top |
|
|
VStrider
Apprentice
Joined: 27 Jun 2005
Posts: 244
Location: 1 to Rule All way, Moria Gate, Middle Earth, SAU 70N
|
| Posted: Tue Dec 20, 2005 1:19 pm Post subject: |
|
|
I don't like 'sudo su'. I think it's pointless, since you start a root session. And your user already has the root passwd so why not just su? The purpose of sudo is to give certain privileges to various users, without giving them the root password. Think of it like an ACL for security privileges instead of files.
As about logging, su does log auth failures or the UID who starts a root session; though this is mostly as a reminder of when the root logged in, it's not so much for security since someone with a root password can always delete/change logs - if you cann't trust them fully, you shouldn't give them root passwords. ACLs and/or MACs are in order. So i cann't see how sudo su is any better. |
|
| Back to top |
|
|
humbletech99
Veteran
Joined: 26 May 2005
Posts: 1229
Location: London
|
| Posted: Tue Dec 20, 2005 1:43 pm Post subject: |
|
|
neither can I. In fact I think it's worse since you only need 1 password to get root priviledge instead of 2 passwords, but it's not my call and I'm trying to understand the benefits of it and why it was chosen....
I suppose one benefit is that if someone leaves, you just delete their account and that's the end of it... rather than having to change root and tell everyone who uses it. Also, having the root account completely disabled is quite good in some ways cos this is the main target, although someone would probably try and go via the lower priviledge first figuring users are stupid and have easier passwords...
Beyond that I can't think of anything... |
|
| Back to top |
|
|
zigver
Tux's lil' helper
Joined: 09 May 2003
Posts: 87
|
| Posted: Tue Dec 20, 2005 6:07 pm Post subject: |
|
|
| humbletech99 wrote: | Does anybody know if the default logging is better with sudo su than with su?
I can't imagine that it is (can't test it now either)... |
I can't speak if this is the default or not, but sudo as I've used it at work for the last 8 years logs the following everytime sudo is invoked: date, user executing command, host executed on, current TTY, current directory, the effective UID, the command executed (with full path).
EDIT: I guess this isn't really better in the sense that once you become root, nothing gets logged. |
|
| Back to top |
|
|
|
Networking & Security
