On Tue, Aug 07, 2018 at 09:22:07AM -0400, The Wanderer wrote:
Or, rather, that you can do elevated-access things with the same
credentials as are used to permit non-elevated access.
I consider that to be, by definition, a security hole.
That can be addressed three ways: first, you can have sudo require the
root password instead of the user password; second, you can use pam to
have sudo require different credentials than the login password; third,
you can use pam to have sudo require multi-factor authentication. The
configuration that makes the most sense depends heavily on the local
environment. I'd personally consider a well-implemented multi-factor
scheme to be much more secure (and easier to manage) than discrete
root passwords, and much easier to implement safely (including emergency
access) using sudo rather than su. I tend to agree that just replacing
su with sudo doesn't buy much security and may be a net negative if done
carelessly; to really get value from sudo requires a good bit of
customization--and it's hard to see a return on that work in a small
environment. If the security factors are the same and the workflow is
functionally identical except that instead of "su -" someone uses "sudo
-s" or prefixes every command with sudo, it seems clearly a matter of
preference and muscle memory rather than substance.
Mike Stone