I am not sure what prompted the author to respond to what it clearly the opinion of someone who knows nothing about Unix administration, much less sudo.
However, I am glad that the author mentioned the one argument for using sudo which trumps every possible objection: logging. Log files are critical to the successful investigation and prosecution of security incidents. Knowing whose account executed a sudo command is invaluable.
Discussion on:
View:
Show:
I am not sure why the author did this either, but I am glad they did. I did get some useful knowledge from this, even if it was in protest to what happened.
I am not condemning your post though, just giving insight to my position. I guess a spark went off to notify others of the real use to a very great tool in our world.
I am not condemning your post though, just giving insight to my position. I guess a spark went off to notify others of the real use to a very great tool in our world.
Being informative should never be decried.
I think the many woes from the original post were inspired by single users and it is annoying when you have to change settings that are meant for a different set up.Change your own pc and be damned.
Perhaps, what is being lost, in the strive towards 'ease of use' is the protection inherent in the previous set up.
Roy
I think the many woes from the original post were inspired by single users and it is annoying when you have to change settings that are meant for a different set up.Change your own pc and be damned.
Perhaps, what is being lost, in the strive towards 'ease of use' is the protection inherent in the previous set up.
Roy
The note should have made a bigger point of proper configuration. After all sudo bash has the same effect
as su when the configuration is ALL ALL
as su when the configuration is ALL ALL
I agree with everything you said about sudo. It provides a mechanisim to prevent you from shooting yourself in the foot, it is much more obvious what you are doing when you have to type "sudo /some/command" and it gives you a moment to pause and reflect about what you are doing. I have seen seasoned administrators do and rm -rf * as root only to discover they are in the root directory. I have worked to two companies over the last 15 years and at both of then we used sudo for everything. The only reason to log in to the root account is to do an fsck on a broken system.
Use SUDO and ROOT together
I use sudo for short, simple changes and updates that require the root priviledge.
For instance, I need to read a log file or check a /boot/grub file to ensure things are setup up correctly.
I use root in a bash (and only in bash, no X) when I need to make big changes.
For instance, add a user, setup a new HD, run maintenance functions.
The root privilege is a convenience for the big task; keeps you from having to prefix every command with sudo.
I don't agree with Ubuntu that the root is never good, it has its place and time.
I use sudo for short, simple changes and updates that require the root priviledge.
For instance, I need to read a log file or check a /boot/grub file to ensure things are setup up correctly.
I use root in a bash (and only in bash, no X) when I need to make big changes.
For instance, add a user, setup a new HD, run maintenance functions.
The root privilege is a convenience for the big task; keeps you from having to prefix every command with sudo.
I don't agree with Ubuntu that the root is never good, it has its place and time.
Ubuntu is setup for the masses. Not for admins. With that in mind. It's much safer to say to the masses. Root no good... Sudo good. KIS (Keep It Simple).
I do as you.. sudo for small jobs, root for the more in depth jobs. I've been doing this since the mid '80s. Most Ubuntu users haven't a clue. I'm not saying the dumb, just ignorant. Simply a lack of knowledge. In which case. Sudo EOF
I do as you.. sudo for small jobs, root for the more in depth jobs. I've been doing this since the mid '80s. Most Ubuntu users haven't a clue. I'm not saying the dumb, just ignorant. Simply a lack of knowledge. In which case. Sudo EOF
That's what sudo -s is for. It gives you a root shell when you have a lot of root work to do.
I strongly prefer sudo and don't like giving the root account passwords out to anyone. It avoids the situation where root account password lists have to be printed and distributed every 3 months, that then sit in people's desks or their bags/wallets. It's just asking for trouble.
I strongly prefer sudo and don't like giving the root account passwords out to anyone. It avoids the situation where root account password lists have to be printed and distributed every 3 months, that then sit in people's desks or their bags/wallets. It's just asking for trouble.
So many admins have no idea about benefits of using sudo versus operating as root.
would you care to elaborate a bit on "Yes, Ubuntu and OS X use it in a very poor fashion..." ?
While I find sudo to be a good tool in the enterprise to allow non-systems administrators to make root calls, I also find that most enterprises don't put enough restriction on its use. This seems to happen due to either laziness or lack of resources to properly manage the environment. I think any serious mention of sudo and security should include a cautionary note about end user access to running commands like vi, find, or non-root controlled scripts as root. These are all gaping holes in security (not sudo), and it will not be logged. Each of these allow the user to bypass logging and run any command they want after the first logged command. For example, vi allows a person to start a new unlogged root shell. Scripts that aren't root restricted for editing, can allow users to place any command within it, and then later remove them from the script.
If you want to log what commands your users and admins are really using you would be better off turning on system auditing to capture success+failed system calls for execl, execve, etc. The advantage of using auditd is that the recorded auid (original login ID) never changes, so you can still track someone even if they su or sudo to invoke a root shell.
you are right about sudo being a useful tool for auditing purposes, which is required for compliance issues in large enterprises; just as you stated.
however, as far as I know, there isn't a way to really restrict a user from starting a shell with sudo, unless you specifically define all commands permissible and avoid programs that can spawn a shell (e.g., vi, more->vi->/bin/sh, etc.). once you give any flexibility in how you configure sudo, a knowledgeable user can circumvent the restrictions by finding access to a root shell; then all the logging goes out the window. does anyone know of a way to prevent this? (other than specifically defining every damn command and avoiding things like vi, more ,etc.)
however, as far as I know, there isn't a way to really restrict a user from starting a shell with sudo, unless you specifically define all commands permissible and avoid programs that can spawn a shell (e.g., vi, more->vi->/bin/sh, etc.). once you give any flexibility in how you configure sudo, a knowledgeable user can circumvent the restrictions by finding access to a root shell; then all the logging goes out the window. does anyone know of a way to prevent this? (other than specifically defining every damn command and avoiding things like vi, more ,etc.)
Though I haven't worked with it, I understand that rvim, a restricted version of vim, is configured specifically to stop the usual ways of escaping out of the editing session.
I worked as a SysAdmin some years ago on the the B2 Stealth Program ("I could tell ya, but then I'd have to kill ya"), and even in an environment with _separate_ networks for classified and unclassified systems, security up the wazoo and one of every computer type known to humankind - with the proper controls, the DBA's and SysAdmins used 'sudo' very happily and effectively.
In my current position, I'd be out of a job if I could not use 'sudo' - since our data center is outsourced, and the edict from On High is: "Thou Shalt Not Give The Root Password To Non-Outsourcer Personnel" - I have 'sudo' on every UNIX server I support Oracle on, with the exception of the Network Appliance - that I do have 'root' on, because of the nature of the NetApp and because we have a DBA-SysAdmin Agreement regarding the Network Appliance.
And we are SOX-audited very stringently, and have not failed any audits in this area - used and audited properly, 'sudo' is a totally acceptable and even preferred tool!
In my current position, I'd be out of a job if I could not use 'sudo' - since our data center is outsourced, and the edict from On High is: "Thou Shalt Not Give The Root Password To Non-Outsourcer Personnel" - I have 'sudo' on every UNIX server I support Oracle on, with the exception of the Network Appliance - that I do have 'root' on, because of the nature of the NetApp and because we have a DBA-SysAdmin Agreement regarding the Network Appliance.
And we are SOX-audited very stringently, and have not failed any audits in this area - used and audited properly, 'sudo' is a totally acceptable and even preferred tool!
I use root for everything, if I rm -f *.* in the root directory it's because I'm stupid and not actually thinking about what the hell I'm doing. I'm not arguing about sudo being a great tool for safety and audting I'm just not that paranoid
Sudo, itself, is a good idea. However, I'll never feel secure allowing someone to use it with a user password. At the very least, the user should be required to use a separate Sudo password. However, I find Sudo rather annoying to use. I simply get a root shell and do my thing.
One thing totally neglected by the ranting person and yourself is that sudo doesn't necessarily have to give out root permissions at all. sudo can also offer only posibility to switch to some specific other user instead of root.
Also you argued with logging. This doesn't help much with people having the habit to use sudo su - nothing to gain from that point.
Also you argued with logging. This doesn't help much with people having the habit to use sudo su - nothing to gain from that point.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
