[tclug-list] sudo

Tue Feb 5 12:31:09 CST 2008

On Feb 5, 2008 12:16 PM, Mike Miller <mbmiller at taxa.epi.umn.edu> wrote:
> On Tue, 5 Feb 2008, p.daniels wrote:
> > Ubuntu (or any distro that uses the sudo model) makes this very easy.
> > There is no root account by default, and the "do this as root" password
> > is the password of the original user (you). When you make new users,
> > they don't have root access unless you give it to them. I know on Ubuntu
> > when you make a new user, the menu items that require root access don't
> > even appear in their menus.
>
> The note above is mostly answering a question I was going to ask here.
> Isn't that system weakening security a little bit by essentially making
> the root password the same as one of the user passwords?  If someone gets
> the user password, he also gets root permissions and can do what he
> pleases.
>
> Is there really no root account?  On our Ubuntu system there is one:
>
> $ grep ^root /etc/passwd
>
> root:x:0:0:root:/root:/bin/bash
>
> Doesn't there have to be a root account if files are to be owned by root?
>
> What is the advantage of sudo over su?  Does it log activity better?
>
> Mike

There's some misinformation above. Start by looking at a man page for
sudo [ http://www.gratisoft.us/sudo/man/sudo.html ] and then maybe hit
Wikipedia [ http://en.wikipedia.org/wiki/Sudo ].

Yes, there is a root account. sudo is a better way to facilitate using
su, providing a granular, limiting access that is also auditable
(logging). Because of this, sudo is typically setup to allow limited
administrative operations. As such, a compromised account will still
be limited to what the systems administrator allowed that account to
do in the first place, which is typically not much.

On a Macintosh or in the *buntu model, the first user created
typically has "full" sudo rights and can do anything on the machine.
This is _still_ a better security model than allowing root to login to
the box (locally or remotely) and having a root password set.

-- 
Brian D. Ropers-Huilman, Director
Systems Administration and Technical Operations
Minnesota Supercomputing Institute                 <bropers at msi.umn.edu>
599 Walter Library                                   +1 612-626-5948 (V)
117 Pleasant Street S.E.                             +1 612-624-8861 (F)
University of Minnesota                               Twin Cities Campus
Minneapolis, MN 55455-0255                       http://www.msi.umn.edu/