root accounts su and sudo

wolfric

I've had this debate with a number of people and read many conflicting opinions on it.Some people seem to treat it almost religiously. I honestly don't see it as much of a big deal tbh. Here's my take on it anyway.

The general story is that you have let's say 4 users of a server that need root access.
From what i've seen there are 2 different views on this
1: All users have normal accounts to log into. They each know the root password which they su to once they login.
2: All users have sudo which they use in front of any command when they need it.

The reasons i see for the first one:
if an account gets compromised, the attacker doesn't get the full rights. Sudo users are more likely to have a weak password.
If the root password was disclosed to a 3rd party, you can easily change one password to change all root access accounts. This of course assumes that your system hasn't been compromised in the mean time with a back door.



Reasons i see for the second one:
It's easier to remove someones privileges without changing the root password for everyone.
History for each separate user, identifying who ran what (one of the most useful points imo)
While you can do su -c command, most people will just run as su and as you normally have a long password, they'll keep the shell open for all the other commands they need to type in.
When running sudo, people will generally just run it for the command they need. If someone changes root password, everyone else is screwed. Of course maliciously one could edit out everyone in the sudoers file but it'd be a lot easier to simply forget to put in the username after passwd.


Here's an alternative i'm playing with. Normal users have a duplicate account called theirname-admin.
default bashrc makes alias that changes sudo to su $USER-admin -c
That way when they sudo command, they enter their seperate admin password (higher policy restrictions).

croo

a couple of additional points for consideration...
* sudo accepts the users password for confirmation by default, but that is just a default and it can be configured to require the root password or that of any other user!
* sudo is not an all or nothing scenario. by that I mean you can use it to provide a user or usergroup a subset of commands they may run as root. So it's a bit more flexibly that simple giving full root access.
* depending on how it is defined a user may or may not be running sudo in the roots environment (i.e. the scripts/commands that typically run when a user logs in might or might not be those of root - depending on how sudo is configured (or how any su command is given to be fair).
* With 4 admins I would think it important that can distinguish changes of one admin from another!?

Regardless of which route [pun intended ] you take you normally do need to keep track of who has access to what and to me this is basically what sudo is doing so why not use it... and when in doubt there is nothing to preclude you from doing both!

Johnboy1951

The general story is that you have let's say 4 users of a server that need root access.
From what i've seen there are 2 different views on this
1: All users have normal accounts to log into. They each know the root password which they su to once they login.
2: All users have sudo which they use in front of any command when they need it.

More practical ....... 4 users who need root access - each for a limited area of admin.
One might have root access for network admin, another for printer admin and so on.

Using sudo, none need to have the root password.
All access by each can be logged separately.
None of them log in as root.

The 'real' admin, who has the root password, has thus delegated some of the admin tasks to others, limiting their powers to only those delegated tasks, and no others.

I intently dislike the implementation of sudo, as done by Canonical.
Thankfully most distros have not followed that path.

regards.

croo

Johnboy1951 wrote: »

I intently dislike the implementation of sudo, as done by Canonical.

I am the only admin on my systems so have not needed to rely heavily on sudo ... but just out of curiosity what did canonical do to sudo? how does their implementation differ from normal?
(ps. sorry to OP don't mean to distract from you main question!).

pickarooney

I thought Canonical invented sudo. At least I never heard of it before Ubuntu was first released.

croo

pickarooney wrote: »

I thought Canonical invented sudo. At least I never heard of it before Ubuntu was first released.

Nah, it predates ubuntu (and debian!!) - but it became common with these distro as they do not, by default, provide a root login. I don't remember which flavour of UNIX I first saw it but it was a long time ago.

Stky10

croo wrote: »

Nah, it predates ubuntu (and debian!!) - but it became common with these distro as they do not, by default, provide a root login. I don't remember which flavour of UNIX I first saw it but it was a long time ago.

1980'sish.....

https://secure.wikimedia.org/wikipedia/en/wiki/Sudo

Its ok, but not bulletproof security wise. In a previous job it was setup to allow me to execute a shell script that I had read/write access to. So the script quickly got changed to just open a new command window as it made my job a lot simpler. I could probably have got sacked for doing so, but I didn't abuse it, I used it purely so that I could get what I needed to done.

Naikon

If su or sudo where the only ways of obtaining root access of uid 0, we would not be worrying about buffer overflows or the various stack smashing tricks out there.

Johnboy1951

croo wrote: »

I am the only admin on my systems so have not needed to rely heavily on sudo ... but just out of curiosity what did canonical do to sudo? how does their implementation differ from normal?
(ps. sorry to OP don't mean to distract from you main question!).

First ..... I have not looked to see if they have changed anything of late in the way they implement it, so I might be misstating the present case.

The first user account created has admin rights - complete admin rights - through sudo and their user password.
As most Desktop implementations of Ubuntu are single user systems, as I understand it, this setup is now widespread.

I believe muddying the waters between root and user privileges is doing no one any favours.
There may also be concerns about security with such a setup.

regards

bnt

Johnboy1951 wrote: »

I believe muddying the waters between root and user privileges is doing no one any favours.
There may also be concerns about security with such a setup.

I've been thinking about this too, but came to the conclusion that that's a decent way to get around the inherent problem with having less-techie users on a multi-user system. Someone has to have root privileges from the date of installation, and it's a reasonable assumption that the person doing the installation will be that person. On the other hand, Canonical are trying to attract users who are not trained UNIX sysadmins, who could be tempted to log in as root every time "because it's less hassle". :eek:

I'm not a Mac user, but I think the Mac way of handling this was an influence on the Ubuntu guys. I didn't understand it at first, and set up the root account as soon as I could (sudo passwd root), but I haven't done that with recent installations. I can get a root prompt if I really need it (sudo bash), but apart from that it removes the temptation to stay logged in as root, which is a good thing in my estimation. Having to sudo serves as a reminder of sorts: "you are doing this as root, so be careful".

croo

bnt wrote: »

I've been thinking about this too, but came to the conclusion that that's a decent way to get around the inherent problem with having less-techie users on a multi-user system. Someone has to have root privileges from the date of installation, and it's a reasonable assumption that the person doing the installation will be that person. On the other hand, Canonical are trying to attract users who are not trained UNIX sysadmins, who could be tempted to log in as root every time "because it's less hassle". :eek:

Yeah, this is how I see it too. Ubuntu's angle was to make the desktop easier... I would bet that most people using multi-user/server linux setups are using RedHat or Centos or something like that. But for desktops the Ubuntu approach, while unorthodox and so confusing at first, is actually a good approach for a single (non-technical) user install.
And as I said above, the sudoers configuration can always be modified later if the default is not appropriate.

Johnboy1951

bnt wrote: »

I've been thinking about this too, but came to the conclusion that that's a decent way to get around the inherent problem with having less-techie users on a multi-user system. Someone has to have root privileges from the date of installation, and it's a reasonable assumption that the person doing the installation will be that person. On the other hand, Canonical are trying to attract users who are not trained UNIX sysadmins, who could be tempted to log in as root every time "because it's less hassle". :eek:

I'm not a Mac user, but I think the Mac way of handling this was an influence on the Ubuntu guys. I didn't understand it at first, and set up the root account as soon as I could (sudo passwd root), but I haven't done that with recent installations. I can get a root prompt if I really need it (sudo bash), but apart from that it removes the temptation to stay logged in as root, which is a good thing in my estimation. Having to sudo serves as a reminder of sorts: "you are doing this as root, so be careful".

One would have to log in as root in the first place to stay logged in as root. The option to log in as root through the GUI could be dropped. I could understand a distro taking that road, to protect users from their own stupidity. I may not agree with it, but could understand it.

Strange how all (?) other distros (not derivatives) seem to manage without this 'corruption' of the use of sudo.

I cannot fathom why it is thought an advantage to have the first user password, in effect, the root password.
A password is still needed if root privileges are required.

If I want an app to be launched as root (not on Ubuntu) I can
gksu <app> or kdesu <app> as the case may be.
Not a lot of difference from
sudo <app>
The only real difference is the password supplied when prompted.

The other aspect is that Ubuntu is allegedly one of the most user friendly distros, yet there seems to be an assumption that ordinary users need to go to the terminal very often; at least that is what this appears to me to imply.

Anyway, to each his own