On 8/14/2013 8:44 AM, Darac Marjal wrote:
I believe the idea is to discourage people from logging in as root. You
can't get rid of root completely (any user with an ID of 0 is root), nor
would you want to. But there have been many a horror story of people
logging in as a super-user (either Root on Linux or Adminstrator on
Windows) for day-to-day work - perhaps to work around some permissions
issue or something.
'sudo' is preferred over 'su' because A) it allows for better control of
who can do what - if you want a user to be able to run 'foo' as root
without being asked for their password, you can do that B) the simple
interface (just adding one keyword before a command line) encourages
users to run JUST ONE command as root - 'su' makes it all too easy to
switch to a root shell and forget to switch back.
Now, I don't believe there's been any active discouragement of doing
things 'the old way'. It's just that, as linux becomes more popular, it
needs to become more 'user friendly' - and that means robustness against
user folly.
I agree in principle that sudo is better then su. The problem I have
with it is security; when you use sudo you type in your own password.
So if your password is compromised, the hacker can do anything the sudo
user can do - which may be very bad.
For instance, I'm the sysadmin on my VPS's. root is blocked from
logging in. However, as sysadmin I need access to pretty much
everything at some time or another. If I allow my id to have sudo
access to everything and someone gets my password, then they can really
screw up the system.
However, when I use su, I need to key in the root password before doing
anything. This adds another layer of security to the system. But
obviously I don't want to give out the root password to others.
What I would like to see is the option to require users to have a second
password (neither their login nor root password) to use sudo. I know
it's another password - but as an option it would increase security.
Jerry
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/520b95e5.3080...@attglobal.net