On Tue, Nov 13, 2012 at 11:52 AM, Chris Knadle <[email protected]>wrote:
> On Tuesday, November 13, 2012 11:37:00, Jack Chastain wrote: > > On Tue, Nov 13, 2012 at 10:34 AM, Chris Knadle > <[email protected]>wrote: > > > On Ubuntu users are expected to run root-level scripts/programs via > sudo, > > > and not use su *because there's no root account* -- while it's parent > > > Debian tends to focus on using su more often than sudo. There are > > > arguments as to which is "more secure", and I haven't seen a definitive > > > conclusion on that. > > > > I am really just learning the Ubuntu ropes, but I wondered about that - > > particularly since I actually did su to root when playing around with the > > original post: > > > > jack@Dell-Dimension:~$ cat /etc/passwd > > root:x:0:0:root:/root:/bin/bash > > daemon:x:1:1:daemon:/usr/sbin:/bin/sh > > > > jack@Dell-Dimension:~$ su - > > Password: > > root@Dell-Dimension:~# pwd > > /root > > root@Dell-Dimension:~# id > > uid=0(root) gid=0(root) groups=0(root) > > root@Dell-Dimension:~# > > > > Now - to be completely forthcoming, in order to do this I initially had > to > > issue "sudo passwd root" and set the root password, but Ubuntu does > appear > > to have a root UID. . Am I missing something here? > > Phht! :-) No -- I think /I/ am. > > The fact that there /is/ a root user on Ubuntu but the password not set > sort > of makes sense -- because most of the packages that get installed on Ubuntu > are owned by root, so it would really suck to see the owner/group of all > the > files be a UID/GID number like "0 0" instead of "root root". > > So I had the right /idea/ but the wrong details. ;-) > Thanks for the correction. > > Ha! No worries - I was wondering if I had gone and screwed something up using my old Solaris habits there, but what you and others are saying makes lots of sense. My immediate thought (and practice at work) was just to become root and see what things were like - and when I couldn't get in, I just set the password. Since I am the "only" user on my system, that doesn't really bother me a lot - though I suppose it loosens the technical security a bit. There is also the semantic differences between Linux and Solaris to consider. As I said - I am trying to learn. All makes sense too. Which is kind of cool in itself. On to trying to work out a few more details. (BTW: I generally SUCK at issues relating to both su and sudo - and am trying to pick up where my deficiencies lie and fix that - mostly because work now occasionally requires it - a situation I don't care for very much) JC > > On Tuesday, November 13, 2012 11:32:45, dragorn wrote: > > On Tue, Nov 13, 2012 at 10:34:44AM -0500, Chris Knadle wrote: > > > On Ubuntu users are expected to run root-level scripts/programs via > sudo, > > > and not use su because there's no root account -- while it's parent > > > Debian tends to focus on using su more often than sudo. There are > > > arguments as to which is "more secure", and I haven't seen a definitive > > > conclusion on that. > > > > Setting aside sudo's history (though it's been much better) of > > exploitable coding bugs, the answer is "it depends". > > > > If you have 100% trusted system administrators, 'su' is likely more > > secure, because it requires knowledge of the root credentials and when > > you give someone 'su' you know you're giving them everything - there > > is no debate if they can exceed their privileges, because, of course > > they can. > > > > If you need semi-trusted users to perform some degree of system > > administration and need an audit trail, sudo *can* be the tool for the > > job - if you're very very careful. I've used it in previous lives to > > give semi-admins the ability to set up permissions on directories, > > etc, using command filtering in sudo and carefully written scripts > > that prevent them from going outside of the directories they're > > allowed. > > I totally agree with all of the above. When wanting to give root access > for a > /limited/ number of things someone can run, that's where sudo makes sense. > > > The second is much more dangerous, since you may inadvertently give > > someone more privileges than you realize, and they're "not fully > > trusted", or you'd just give them root in the first place. > > Yes, I see what you mean. > > > Still, sudo definitely has it's place in a multiuser system. It just > > easily gives you enough rope to hang yourself if you're not very > > careful. > > > > For a single user system the point is more or less moot, I think. > > I think so too, but for some reason I still see occasional debate on it. > > -- Chris > > -- > Chris Knadle > [email protected] > _______________________________________________ > Mid-Hudson Valley Linux Users Group http://mhvlug.org > http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug > > Upcoming Meetings (6pm - 8pm) Vassar College > Dec 5 - SysAdmin Panel > Jan 9 - High Performance Computing > Feb 6 - February Meeting > -- Eschew obfuscation and pompous prolixity. Light a man a fire, he is warm for the night. Light a man afire, he is warm for the rest of his life.
_______________________________________________ Mid-Hudson Valley Linux Users Group http://mhvlug.org http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug Upcoming Meetings (6pm - 8pm) Vassar College Dec 5 - SysAdmin Panel Jan 9 - High Performance Computing Feb 6 - February Meeting
