Sudo vs. Root

lessthan0 writes "In Mac OS X, the root account is disabled by default. The first user account created is added to the admin group and that user can use the sudo command to execute other commands as root. The conventional wisdom is that sudo is the most secure way to run root commands, but a closer look reveals a picture that is not so clear." The article is about OSX but the debate is a little older ;)

Oh, great!

[Len Budney]

Now all the black-hats out there will have a powerful new tool in their arsenal! You mean, a sudoer can, like, type "sudo /bin/bash" and then do all sorts of things as root? Pretty irresponsible of him to go telling the world a secret like THAT!

Sudo vs. Root?

[Evro]

The winner is clear! [googlefight.com]

Re:Old news and Poorly written

[gEvil (beta)]

More like news for noobs

Stuff that flatters?

My favorite sudo command:

[AsnFkr]

sudo passwd root

Messed up sudoers

[Gopal.V]

Recently one of my friends editied his sudoers file with the following

admin ALL=(ALL) ALL

Now it is obvious to me that he forgot a % in there. From that point onwards, there was no way we could actually run sudo to be able to edit the file using visudo. Since there is no root account, we couldn't just log in as root to fix this issue. And because of the syntax error, sudo refused to work for any user.

Now, a live CD and a setuid bash executable managed to fix the issue directly, but we learned an important lesson about root-less systems. If you screw up something like the /etc/sudoers, the system is hosed unless you have physical access.

So as much as I use sudo for almost all my UID 0 needs, I think root still needs to live in every box just to safegaurd against such simple mistakes which ended up costing more hours than the sudo would've saved.

The best way to secure the root account...

[aurb]

...is to choose a really difficult password and forget it. This will secure the box from its' worst enemy - yourself.

This says it all.

[Anonymous Coward]

Bullshit! A real administrator is always logged in as root - it's CRAP administrators that aren't! [theregister.co.uk]

I run as root at all times. Argue with me at your own peril!

Phil Collins

[Jon Luckey]

Phil Collins probably had fits when this didn't work:

pcollins$ su su sudio

How to disable root

[SuperKendall]

I reccomend you run a find command the deletes all files owned by root. That should do the trick! Without files, how could they be enabled?

Re:Layered Security

[BrianPan]

What in the world are you doing reading the articles on Slashdot? Who does that?

Re:MUCH MUCH Much better solution

[Arandir]

Our IT department (of a 70,000 person organization) audited my lab, and discovered that I had used an "insecure" password password. They determined this because they were able to crack it... ...but it took them 18 hours to crack, and they had to do it within the lab because the system in question was behind two firewalls, and the system itself had no sensitive information on it. It was an internal development system, and the password was made easy (two English words separated by a symbol) so that our sixty developers could remember it. The password itself was written on the whiteboard in the lab, but the auditors didn't mention that.