Sudo vs. Root 327
lessthan0 writes "In Mac OS X, the root account is disabled by default. The first user account created is added to the admin group and that user can use the sudo command to execute other commands as root. The conventional wisdom is that sudo is the most secure way to run root commands, but a closer look reveals a picture that is not so clear." The article is about OSX but the debate is a little older ;)
Layered Security (Score:5, Informative)
The article doesn't say that sudo isn't the most secure way to run commands, it just details how to make it even more secure.
Same applies to Ubuntu (Score:1, Informative)
This just in: (Score:5, Informative)
C'mon, anyone with even a passing involvement with sudo has looked at the sudoers file. You can configure pretty much any group or role based permission you want; if you can describe it as a logical statement, you can do it in sudo. Yes, out of the box, you can sudo to a shell (or to an app which has a shell escape).
How To Become Root on OS X (Score:3, Informative)
Welcome to Darwin!
Hunter:~ Adam$ sudo su
Password:
Hunter:/Users/Adam root#
This is on an unmodified install....woops I guess that root account wasn't disabled after all!
Re:How To Become Root on OS X (Score:3, Informative)
Re:Messed up sudoers (Score:4, Informative)
btw you don't need a livecd if you can get to the bootloader prompts, just use init=/bin/bash on the kernel command line and the box will drop straight into a shell. Type exec
Didn't we already have the wheel group for this (Score:3, Informative)
Re:Sudo (Score:2, Informative)
Now, the servers at the workplace are a different story, though I tend to ssh in as root at times as well.
Re:Sudo is only useful when there are lots of admi (Score:4, Informative)
Re:How To Become Root on OS X (Score:5, Informative)
Re:Sudo is only useful when there are lots of admi (Score:5, Informative)
However, I never run sudo su Why? Being forced to type "sudo" in front of potentially dangerous commands forces me to think a second time and make sure I'm not doing something stupid. If I type rm -r * and get prompted that I don't have access, you bet I'm going to double check to see if I'm in the right directory.
Re:Sudo is only useful when there are lots of admi (Score:3, Informative)
Re:Sudo is a tool not the entire solution (Score:5, Informative)
For example, I have this command in my sudoers file:
www ALL = NOPASSWD:
This allows apache to use
Re:Layered Security (Score:1, Informative)
Alternate methods (Score:4, Informative)
Solaris' problems were even more acute. Sudo was a download; it didn't come with the system. If you changed root's shell from the minimal Bourne shell the boot scripts would malfunction. More, root's home directory was "/". So setting up a personalized environment where you could use root access effectively was a pain.
The solution I came up with was a second root account. I just added another name with uid 0 using a seperate password, a seperate home directory and the ksh shell. Then I randomized the main root password, stored it away and promptly forgot it. I'd only need it for fsck on boot.
Later when I was in charge of multiple system administrators I gave each one their own root account. This let them set up their environment in a way that worked for them, it showed me who was using root commands when and it logged their commands to individual
It also means that like with sudo when a sysadmin leaves I don't have to change all the passwords. I just delete their account.
I still use sudo for folks who I don't expect to do much as root, but the sysadmins get their own root account.
Re:Didn't we already have the wheel group for this (Score:2, Informative)
Long answer: man sudo and man sudoers
medium length answer: sudo gives a much more fine grained access control. If I had known about sudo I never would have needed to write wrapper programs with setuid permissions and all kind of groupbased access control to them myself.
Re:This just in: (Score:3, Informative)
With one slight problem... Yes, for a handful of well-known low-complexity programs, you can lock down sudo. For anything more, you may as well just give the user root... For example, if you let your sudo'ers use any shell or editor, or invoke any world-writeable script, game over. Most process-, file-, and account-management programs. Anything that allows explicity suspending to a shell (or invoking an arbitrary subprogram). I could go on.
As an off-the-cuff generalization, I'd go so far as to say that most programs you need to run as root, you can use to trivially gain "normal" root access to a system. And while you might argue that you generally trust your sudo'ers more than your random users, never forget the old maxim "never attribute to malice that which you can explain as laziness".
Re:No it's not a mystery (Score:3, Informative)
All that is in bash history for the root user. And anyone who knows how to clean that can clean the log as well.
Actually, this is not always true. In some environments remote logs are kept and versioned. Root on a workstation would not have access to wipe the remote log, only add more entries to it. Still, anyone working in such an environment would almost certainly have made other changes to the workstation anyway, so arguing over the default setting is pointless.
Re:Oh, great! (Score:2, Informative)
Re:Sudo (Score:2, Informative)
Re:Sudo is only useful when there are lots of admi (Score:2, Informative)
There is an example in the 'sudoers' manual which tells how to remove 'su' and shell commands from those which sudo allows. I had to implement this after we discovered that some individuals who needed sudo access to do some things were using 'sudo sh' to get around the restrictions we placed on them. After the initial threat, they were much more agreeable to how we wanted them to do things *grin*
Re:Sudo (Score:3, Informative)
Not quite. The idea is to set it so root can't log in remotely, and that sudo requires the ROOT password and not the USER password.
This way a hacker would have to obtain BOTH the user password and the root password.
For even more fun, restrict SSH to not allow keyboard-interactive logins and require anyone who needs to SSH into a box remotely to use a certificate. That way a hacker would need the certificate, the passphrase to unlock it, and the root password. To top it off you can't just "guess" a certificate like you can a password.
-Charles
Paranoia -- everyone has to have a hobby
Re:No it's not a mystery (Score:1, Informative)
Re:I, Root (Score:4, Informative)
Windows actually has a similar feature, sort of- right-click on something and choose "run as...", then log in as an administrator.
Re:Sudo (Score:3, Informative)