Re: sudo questions

Wed, 14 Aug 2013 07:37:21 -0700 

On 8/14/2013 8:44 AM, Darac Marjal wrote:


I believe the idea is to discourage people from logging in as root. You
can't get rid of root completely (any user with an ID of 0 is root), nor
would you want to. But there have been many a horror story of people
logging in as a super-user (either Root on Linux or Adminstrator on
Windows) for day-to-day work - perhaps to work around some permissions
issue or something.

'sudo' is preferred over 'su' because A) it allows for better control of
who can do what - if you want a user to be able to run 'foo' as root
without being asked for their password, you can do that B) the simple
interface (just adding one keyword before a command line) encourages
users to run JUST ONE command as root - 'su' makes it all too easy to
switch to a root shell and forget to switch back.

Now, I don't believe there's been any active discouragement of doing
things 'the old way'. It's just that, as linux becomes more popular, it
needs to become more 'user friendly' - and that means robustness against
user folly.





I agree in principle that sudo is better then su.  The problem I have 
with it is security; when you use sudo you type in your own password. 
So if your password is compromised, the hacker can do anything the sudo 
user can do - which may be very bad.



For instance, I'm the sysadmin on my VPS's.  root is blocked from 
logging in.  However, as sysadmin I need access to pretty much 
everything at some time or another.  If I allow my id to have sudo 
access to everything and someone gets my password, then they can really 
screw up the system.



However, when I use su, I need to key in the root password before doing 
anything.  This adds another layer of security to the system.  But 
obviously I don't want to give out the root password to others.



What I would like to see is the option to require users to have a second 
password (neither their login nor root password) to use sudo.  I know 
it's another password - but as an option it would increase security.


Jerry


--

To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/520b95e5.3080...@attglobal.net
























					Reply via email to