Stroller wrote:
On 9 Feb 2009, at 13:05, Heiko Wundram wrote:
... even when he gets access to one of
your user accounts (who happen to be in group wheel), he still has to
guess
the root password (when doing su -) to be able to become root, and
hopefully
this buys you the time to see in your logs that someone tried local
"su" with
invalid passwords, which should always be a high priority alert.
I have been using `sudo` over `su` for a long time because I felt it
reduces the risk of staying too long logged in as root, doing something
daft and damaging the system.
However I have now many times found myself typing `sudo` commands
automatically & sometimes inattentively, so that would seem to undermine
that argument.
Your point is very persuasive. I guess my remaining objection is that I
have my .bashrc & .bash_profile just the way I like them, and using root
would seem to require me to make any changes in two places.
You can instruct sudo to ask for the target user's password instead of
your own. In this case, you can make to ask for root's password. Look
up "targetpw" in sudo's docs. To make sudo ask for the target user's
password by default, put this in /etc/sudoers:
Defaults targetpw
