Got Root - Should You Use It?

vegthura asks: "I have several coworkers that insist that logging into servers is an acceptable practice. They claim it's just easier than using sudo and it's just as safe - you know you're root so what else do you need? And why bother logging in as you if you're just going to use sudo to run commands with root privileges anyway? Everything I've ever read has been the exact opposite philosophy. There is very little you need to be root to do, if anything in practice, and using sudo lets you only use the power of root for when you really need it. So, die hard unix geeks, you've got root... do you use it or stick to sudo?"

Root

[nagora]

The only reason to log into a server is to do admin work, which will require root. If there's something you are doing on the server that doesn't need root then you probably shouldn't be using the server for that.

I generally only have one user on servers and that's root. Everyone else can access it via nfs/samba/ftp/whatever, but only root gets login.

TWW

I stick to sudo

[gzearfoss]

I personally stick to sudo. The main reason why is to protect me from myself, more than anyone. Because I have to prefix the command with sudo, it serves as a 'mental brake' to slow down my typing, and double check what I type before I run it.

It's all about logging

[forsetti]

Given rich ACLs, there is really very little that needs to be done as root. However, when root is needed, it is important to remember that there is only one root. On a machine with multiple admins, how do you tell who logged in as root? The sudo log entry tells all:

Apr 15 22:05:41 linux-black sudo: matt : TTY=pts/0 ; PWD=/home/matt ; USER=root ; COMMAND=/usr/bin/tail /var/log/auth.log

sudo is valuable if only for the logging. Yes, you can limit what can be done using the sudoers file, but logging who did what is invaluable.

Re:More than just root

[Deorus]

> Compare this with giving the root password to everyone, which requires the password to be changed whenever someone leaves the company (or someone's root privs are revoked).

Create multiple UID 0 accounts with different passwords.

As for the rest of your post, I'd rather not trust the security of a server to sudo, firstly because it had security issues in the past, and secondly because it's not a trivial task to decide which commands a user can and can not have access to.

Why do they have root?

[NNKK]

If they're not a sysadmin, they don't need the root password. They probably don't need sudo, either. If they have the former, your internal policies are broken. If they have the latter, you better be damn sure of why. sudo is far from foolproof. It's almost exactly like making select binaries suid root and available only to a specific group, except that it's more convenient (good), and introduces an extra suid root binary that could have a security bug (bad).

If they are a sysadmin, and we're talking production servers, they're either qualified to decide what's best for their particular situation, in which case you really don't need to be questioning them (if their judgement isn't trustworthy, what the HELL are they doing in a sysadmin position?) and you're just wasting everyone's time, or they're just generally incompetent, in which case either the IT department will eventually be taken over by someone competent and the house will be cleaned, or the company will die a slow and painful death. Either way, it's all pretty moot.

Make sure your resume is up-to-date.

sudo is all wrong

[r00t]

Sudo adds complexity where you least want to have it. A config file that you can mess up? No thanks.

Plain old su works well. It leaves a log, via the shell history file. You can adjust the history file size if needed. If you want a secure and uneditable log, neither will do. Breaking out of sudo is easy; normal command-line software is not designed to keep you in the setuid-like environment that sudo provides. Regular old apps will have buffer overflows, which are not considered security holes... until you go making the apps setuid or - equivalently - letting them be run via sudo.

If you'd be tempted to leave yourself su to root, first open a second window. Now you have one window for root-only stuff, and one window for everything else. Change the font or color or window title if you need help remembering.

Re:More than just root

[teknomage1]

Isn't the sysadmin's job to decide which commands a user can and can not have access to?

Re:Simple solution

[drsmithy]

I do this on all of my servers. And even more, there's this great command if you really need a root shell: sudo su

Congratulations. You have now completely removed almost every reason for using sudo in the first place.

If all you use sudo for is starting a root shell once you've logged in, then save yourself the hassle and just login as root, because you're circumventing basically every benefit sudo offers.

Never give developers root ...

[dustpuppy]

In my experience as a dedicated sysadmin working for a huge multinational, every time developers are allowed to have root access to a system, they produce the crappiest application code ever.

Applications that *require* root access to even run and require sub-apps to be root as well. They are slowly getting better (but only because in the last few years we've enforced a policy of no root access to developers).

IMHO, root access encourages sloppy behaviour (in both developers and sysadmins) and it becomes an essential crutch rather than an 'only as needed' facility. With the focus on security, and the requirement to participate in regular security audits (SOX anyway?), it simply suicide to give developers root access.

Re:More than just root

[Bert64]

So i assume you also won't trust the security of your server to an even greater degree to an OS that's had security issues in the past...
So, what OS are you running?

Re:Sudo weakens security

[jurgen]

rvim is useless. It's not enough to prevent shell-out... that's why I said that was a trivial example. You also have to restrict what files can be edited; for example if I can edit any file that will later get executed or included in a script run as a root I can give myself a root shell... I just add a line that sets the suid bit on an exe I have stashed away somewhere. You could add such a line to i.e. one of the sysconfig/network-scripts/. Since almost all unix system administration involves editing such files, again sudo is useless for general system administration.

The moment you use sudo for more than granting some highly specific operator-level priviledges, such as say starting a backup job, your root security is guaranteed to be weakened by it. And even if you think you /are/ very careful, unless you are a real unix security expert you're probably overlooking something.

:j

Re:Ask slashdot;

[OldManAndTheC++]

Surely it is best to drink the beer and then urinate on the power supply. Admittedly this increases your risk of electrocution, but at least you are not wasting beer!

P.S. you seem to have found an exception to my sig ...