[nSLUG] ubuntu 5.1
George N. White III
aa056 at chebucto.ns.ca
Sun Dec 11 08:23:14 AST 2005
On Sat, 10 Dec 2005, Stephen Gregory wrote:
> On Sat, Dec 10, 2005 at 08:10:15PM -0400, Rich wrote:
>> hmm I haven't dabbled with ubuntu, but this setup would make me very
>> nervous. Just don't like sudo at all. Reminds too much of a windows
>> environment, where everything is writable or breakable.
> sudo setups are perfectly safe. It is a better way to manage root
> access. It forces the user/administrator to think before using root
> permissions. Sudo has been around for many years. It is well tested
> and the security risks are well understood.
> A windows environment is completely different. Windows encourages (all
> but forces) users to run as a superuser/administrator all the time.
At work we have a special account for use by "robots". Unfortunately, the
UPS network daemon, which requires admin. privileges, is needed to
shutdown properly in a power outage but can't be used by robot logins on
I'd add: the main weakness is that an attacker need only get a sudoer's
password. With several sudoers, possibly using remore logins, there are
more opportunities to get one. OTOH, most attacks start with a user
password and a security flaw that provides root access. Sudo can make the
cracker's job harder because it logs access and can restrict the commands
available to a user. If the sudo logs can be kept on a remote system it
is much harder for a cracker to cover their tracks.
Sudo logs every command, so on systems where more than one person
needs "root" privileges, it is a convenient way to keep track of changes.
George N. White III <aa056 at chebucto.ns.ca>
More information about the nSLUG