[nSLUG] ubuntu 5.1

George N. White III aa056 at chebucto.ns.ca
Sun Dec 11 08:23:14 AST 2005


On Sat, 10 Dec 2005, Stephen Gregory wrote:

> On Sat, Dec 10, 2005 at 08:10:15PM -0400, Rich wrote:
>
>> hmm  I haven't dabbled with ubuntu, but this setup would make me very
>> nervous.  Just don't like sudo at all.  Reminds too much of a windows
>> environment, where everything is writable or breakable.
>
> sudo setups are perfectly safe. It is a better way to manage root
> access. It forces the user/administrator to think before using root
> permissions. Sudo has been around for many years. It is well tested
> and the security risks are well understood.
>
> A windows environment is completely different. Windows encourages (all
> but forces) users to run as a superuser/administrator all the time.

At work we have a special account for use by "robots".  Unfortunately, the 
UPS network daemon, which requires admin. privileges, is needed to 
shutdown properly in a power outage but can't be used by robot logins on 
these systems.

I'd add:  the main weakness is that an attacker need only get a sudoer's 
password. With several sudoers, possibly using remore logins, there are 
more opportunities to get one.  OTOH, most attacks start with a user 
password and a security flaw that provides root access.  Sudo can make the 
cracker's job harder because it logs access and can restrict the commands 
available to a user.  If the sudo logs can be kept on a remote system it 
is much harder for a cracker to cover their tracks.

Sudo logs every command, so on systems where more than one person
needs "root" privileges, it is a convenient way to keep track of changes.

-- 
George N. White III  <aa056 at chebucto.ns.ca>


!DSPAM:439c1abe86001177520034!




More information about the nSLUG mailing list