On 2018-08-07 at 05:58, Martin Drescher wrote: > Hi members, > > I'm a little... lets say thoughtful, about the use of 'su' discussed > at some points in this list. I have a strong opinion about su, which > is, avoid it whenever it is possible and use 'sudo' instead. This is > the case in close to a 100% in all cases I can think of. This opinion > is based on how both programs work and deal with pam and > environmental variables. Not to forget: You will not need to share > (or in my case, not even set, but lock that account) a root > password. > > And I'm curious why Debian still prefers the use of su over sudo?
I'm not sure where you get the idea that Debian does prefer that. For my own machines to date (on most if not all of which I'm the primary if not sole user, or at least non-remote user), I don't even permit sudo to be installed. (Or at least I didn't, until I decided I wanted ubuntu-dev-tools - which depends on it - on one such machine. I may even revert that decision on further consideration.) My rationale for doing that is (in crude form) that to permit any root-level things to be done with an ordinary user's password - even mediated by a task-limiting mechanism such as I understand /etc/sudoers to be - is a security hole; not only is an ordinary user's password more likely to leak (whether by social engineering or by malicious code running as the user or by anything in between), if you're not trusted to have the root password in addition to your own, you shouldn't be doing any root-needing things in the first place. Over the years, I've moderated that position somewhat, enough to concede that there may be value in being able to hand out the ability to do some elevated-access things without handing out the ability to do all of them. That would just mean I'd want to set up various other (non-root, non-ordinary) users, with their own passwords and the necessary access to do those specific things, and hand out those passwords instead. (And still probably have people use something like 'su -c' instead of sudo, unless sudo permits requiring the password of a user other than the one invoking the command.) -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw
signature.asc
Description: OpenPGP digital signature
