Find the answer to your Linux question:
Results 1 to 8 of 8
Hello Everybody, Greetings! I just learned how to include my name in the sudoers list and have been enjoying using sudo for commands that require root. My question is, what ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Engineer nujinini's Avatar
    Join Date
    Apr 2009
    Posts
    1,274

    Is Using Sudo Like Using a Safety Net?


    Hello Everybody,

    Greetings!

    I just learned how to include my name in the sudoers list and have been enjoying using sudo for commands that require root.

    My question is, what is the advantage if I use sudo in commands that are suppose to be executed as root. If I make a mistake using the sudo option in execution of commands and screw-up my environment. Will I be able to undo the mistake since the command was not executed as real root (su -)? Or "roll it back" so to speak?

    Thank you for any clarifications!

  2. #2
    Linux Guru reed9's Avatar
    Join Date
    Feb 2009
    Location
    Boston, MA
    Posts
    4,651
    No, you can't rollback sudo commands.

    Sudo has a couple of advantages. One, it keeps a history log. Not so useful for the average desktop user, but nice for sys admins. Two, you run with only the command you want with elevated priviliges. (You can do this with su -c 'command' as well rather than loggin in as root.) Three, you can limit a user or group of users to specific tasks and commands. So rather than give the keys to whole computer away with the root password, you can define that this group of users has access to networking commands, but can't install software, or this user can install software, but can't write to the root filesystem or whatnot.

    The other argument for using sudo and disabling the root account altogether, is that the bad guys know that all systems have an account named root, so they don't have to find out the username, and focus on cracking the password. If you have no root account, finding the username is one more obstacle to overcome. I don't know how much difference this really makes.

  3. #3
    Blackfooted Penguin daark.child's Avatar
    Join Date
    Apr 2006
    Location
    West Yorks
    Posts
    4,393
    The other argument for using sudo and disabling the root account altogether, is that the bad guys know that all systems have an account named root, so they don't have to find out the username, and focus on cracking the password. If you have no root account, finding the username is one more obstacle to overcome. I don't know how much difference this really makes
    I think locking the root account is risky because if someone cracks one of the admin user accounts, then they could unlock the root account, give it a passwd and basically own the system.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru reed9's Avatar
    Join Date
    Feb 2009
    Location
    Boston, MA
    Posts
    4,651
    If they crack the admin account, they would already own the system whether or not they re-enabled root, wouldn't they?

    Also, why would it be harder to crack the root account than the admin user account?

    I could see an argument that sudo could be dangerous, since most systems are set up to not allow root to login remotely. So if you've cracked the admin user account, you could have free reign via remote connection, more easily than if you had to crack root.

    I don't really know. Detailed security issues are beyond my scope of knowledge.

  6. #5
    Blackfooted Penguin daark.child's Avatar
    Join Date
    Apr 2006
    Location
    West Yorks
    Posts
    4,393
    Quote Originally Posted by reed9 View Post
    If they crack the admin account, they would already own the system whether or not they re-enabled root, wouldn't they?

    Also, why would it be harder to crack the root account than the admin user account?

    I could see an argument that sudo could be dangerous, since most systems are set up to not allow root to login remotely. So if you've cracked the admin user account, you could have free reign via remote connection, more easily than if you had to crack root.

    I don't really know. Detailed security issues are beyond my scope of knowledge.
    If you cracked an admin account then yes you already own the system. If you went on to unlock the root account, you could easily lock out the admins from the system, remove them as admins, create your own users accounts that can access the system remotely etc.

  7. #6
    Linux Guru reed9's Avatar
    Join Date
    Feb 2009
    Location
    Boston, MA
    Posts
    4,651
    If you cracked an admin account then yes you already own the system. If you went on to unlock the root account, you could easily lock out the admins from the system, remove them as admins, create your own users accounts that can access the system remotely etc.
    I still don't follow why it would be safer not to use sudo. You don't need to enable root to lock out any other users. You could easily create a new admin user account and delete the old user account. Whether someone cracks the admin user account or the root account, they have full run of the system.

  8. #7
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    To me the advantages are four fold:
    • Commands are logged
    • There can be multiple system admins without handing out the root password
    • You can grant partial root access, i.e. for a specific command
    • You are discouraged from just running a shell as root, i.e. you only prefix your root commands with sudo, not ls, cd etc
    That last one is important. It's too easy to open a root shell, leave it open and find yourself cheating away by running everyday commands as root. It's important to remember to stick to your user and only elevate privilege when you need it - that's the best part of sudo for me.

    daark.child, I have to agree with reed9 on this one, if you crack a user in the sudo/wheel/admin group you already have the equivalent of root. Cracking one of these users is the same as cracking root, no need to unlock root. On the same note if they got root all they'd need to do is change the password.

  9. #8
    Blackfooted Penguin daark.child's Avatar
    Join Date
    Apr 2006
    Location
    West Yorks
    Posts
    4,393
    Quote Originally Posted by reed9 View Post
    I still don't follow why it would be safer not to use sudo. You don't need to enable root to lock out any other users. You could easily create a new admin user account and delete the old user account. Whether someone cracks the admin user account or the root account, they have full run of the system.
    I wasn't implying that its not safer to use sudo. What I was focusing on is the locked root account. Personally I would unlock the root account, set a strong password for the account and limit what commands the admin group can run to prevent being rooted if any admin account is compromised.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •