On Wed, 2010-06-02 at 08:31 +1000, Jim Cheetham wrote: > On Wed, Jun 2, 2010 at 7:57 AM, Peter Glassenbury (CSSE) > <[email protected]> wrote: > > Like Volker, I have yet to be convinced of the point of typing > > "sudo " in front of all the commands I want to run as root. > > When it becomes reflex, you are going to make the same mistakes > > as if you login as root. > > If you are the owner of the computer in question and you are > "competant", there is no reason at all not to use root all the time. > Just set your uid to 0 and be done with it. I'm as serious with that > comment as I am with "writing passwords down", i.e. very serious. > > However, if you are *not* the owner (i.e. in any business context) > then sudo provides a very valuable audit log experience. You have 5 > admins -- which one was it that logged on as root and broke your > production system? With sudo, it is much easier to track back on > problems. You can use sudo to get a root shell, rather than restrict > it to individual commands, if you want the flexibility. > > -jim
I am in absolute agreement with both of these statements (although I expect you're waiting for the flame war as well Jim), until it comes to directly accessing remote systems as root - even if it is your server. Having to guess which user account to ssh into ( there are plenty of account name popularity lists around to suggest the ones *not* to use ), as well as the password massively increases security. Add a fail2ban / denyhosts and it'll take a pretty serious distributed attack to succeed. Personally, I add a vpn to the mix as well, and only use raw ssh in an emergency from specific IP addresses. That way they have to find my treehouse in Borneo before going for my servers. ( Oh what a giveaway! ) But in a shared admin environment, the sudo's audit trail gets rid of all those sloping shoulders... and we all make mistakes after all! My $0.02, Steve -- Steve Holdoway <[email protected]> http://www.greengecko.co.nz MSN: [email protected] Skype: sholdowa
smime.p7s
Description: S/MIME cryptographic signature
