On Tue, Nov 13, 2012 at 10:34:44AM -0500, Chris Knadle wrote: > On Ubuntu users are expected to run root-level scripts/programs via sudo, and > not use su because there's no root account -- while it's parent Debian tends > to focus on using su more often than sudo. There are arguments as to which > is > "more secure", and I haven't seen a definitive conclusion on that.
Setting aside sudo's history (though it's been much better) of exploitable coding bugs, the answer is "it depends". If you have 100% trusted system administrators, 'su' is likely more secure, because it requires knowledge of the root credentials and when you give someone 'su' you know you're giving them everything - there is no debate if they can exceed their privileges, because, of course they can. If you need semi-trusted users to perform some degree of system administration and need an audit trail, sudo *can* be the tool for the job - if you're very very careful. I've used it in previous lives to give semi-admins the ability to set up permissions on directories, etc, using command filtering in sudo and carefully written scripts that prevent them from going outside of the directories they're allowed. The second is much more dangerous, since you may inadvertently give someone more privileges than you realize, and they're "not fully trusted", or you'd just give them root in the first place. Still, sudo definitely has it's place in a multiuser system. It just easily gives you enough rope to hang yourself if you're not very careful. For a single user system the point is more or less moot, I think. --
signature.asc
Description: Digital signature
_______________________________________________ Mid-Hudson Valley Linux Users Group http://mhvlug.org http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug Upcoming Meetings (6pm - 8pm) Vassar College Dec 5 - SysAdmin Panel Jan 9 - High Performance Computing Feb 6 - February Meeting
