On Tue 28 Jan 2020 at 10:16:18 (+0200), Andrei POPESCU wrote: > On Lu, 27 ian 20, 13:01:17, Patrick Bartek wrote: > > On Mon, 27 Jan 2020 18:21:30 +0200 Andrei POPESCU > > <andreimpope...@gmail.com> wrote: > > > > > > In the typical sudo setup the root account is locked, so both su and > > > root logins are disabled. > > > > My point is that sudo is more of a security "hole" since it only > > requires a user's password which in my experience are less secure since > > most users create short, easy to remember ones. > > That assumes the root password of these users would be significantly > more secure. > > Even if it were, once the user account is compromised it would be easy > to trick users into providing their root password to a fake 'su'.
My view is that more damage is done to home systems by the sysadmins than by external malice, so anything that protects the system from such damage is a useful resource. I think that selective sudo¹ provides one way of reducing damage by separating critical operations (done by su'ing to root) from the benign day-to-day maintenance done using sudo. ¹ by selective sudo I mean $ sudo some-command … $ rather than the locked-up sudo-only scheme that you can select with the debian-installer. I'm not familiar with the latter. Cheers, David.
