On Tuesday, November 13, 2012 11:37:00, Jack Chastain wrote: > On Tue, Nov 13, 2012 at 10:34 AM, Chris Knadle <[email protected]>wrote: > > On Ubuntu users are expected to run root-level scripts/programs via sudo, > > and not use su *because there's no root account* -- while it's parent > > Debian tends to focus on using su more often than sudo. There are > > arguments as to which is "more secure", and I haven't seen a definitive > > conclusion on that. > > I am really just learning the Ubuntu ropes, but I wondered about that - > particularly since I actually did su to root when playing around with the > original post: > > jack@Dell-Dimension:~$ cat /etc/passwd > root:x:0:0:root:/root:/bin/bash > daemon:x:1:1:daemon:/usr/sbin:/bin/sh > > jack@Dell-Dimension:~$ su - > Password: > root@Dell-Dimension:~# pwd > /root > root@Dell-Dimension:~# id > uid=0(root) gid=0(root) groups=0(root) > root@Dell-Dimension:~# > > Now - to be completely forthcoming, in order to do this I initially had to > issue "sudo passwd root" and set the root password, but Ubuntu does appear > to have a root UID. . Am I missing something here?
Phht! :-) No -- I think /I/ am. The fact that there /is/ a root user on Ubuntu but the password not set sort of makes sense -- because most of the packages that get installed on Ubuntu are owned by root, so it would really suck to see the owner/group of all the files be a UID/GID number like "0 0" instead of "root root". So I had the right /idea/ but the wrong details. ;-) Thanks for the correction. On Tuesday, November 13, 2012 11:32:45, dragorn wrote: > On Tue, Nov 13, 2012 at 10:34:44AM -0500, Chris Knadle wrote: > > On Ubuntu users are expected to run root-level scripts/programs via sudo, > > and not use su because there's no root account -- while it's parent > > Debian tends to focus on using su more often than sudo. There are > > arguments as to which is "more secure", and I haven't seen a definitive > > conclusion on that. > > Setting aside sudo's history (though it's been much better) of > exploitable coding bugs, the answer is "it depends". > > If you have 100% trusted system administrators, 'su' is likely more > secure, because it requires knowledge of the root credentials and when > you give someone 'su' you know you're giving them everything - there > is no debate if they can exceed their privileges, because, of course > they can. > > If you need semi-trusted users to perform some degree of system > administration and need an audit trail, sudo *can* be the tool for the > job - if you're very very careful. I've used it in previous lives to > give semi-admins the ability to set up permissions on directories, > etc, using command filtering in sudo and carefully written scripts > that prevent them from going outside of the directories they're > allowed. I totally agree with all of the above. When wanting to give root access for a /limited/ number of things someone can run, that's where sudo makes sense. > The second is much more dangerous, since you may inadvertently give > someone more privileges than you realize, and they're "not fully > trusted", or you'd just give them root in the first place. Yes, I see what you mean. > Still, sudo definitely has it's place in a multiuser system. It just > easily gives you enough rope to hang yourself if you're not very > careful. > > For a single user system the point is more or less moot, I think. I think so too, but for some reason I still see occasional debate on it. -- Chris -- Chris Knadle [email protected] _______________________________________________ Mid-Hudson Valley Linux Users Group http://mhvlug.org http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug Upcoming Meetings (6pm - 8pm) Vassar College Dec 5 - SysAdmin Panel Jan 9 - High Performance Computing Feb 6 - February Meeting
