Productive Linux
ACPI administration advocacy advocacy advocacy opinion alsa amarok apache apple apt aptitude audio audo authentication automount avi awk bash BIOS boot business cache calendar calibre cdr cdrecord censorship commandline computerscience console convert cron cut database date debian degree design desktop development disk dpkg dvd economics education emacs email europe exim faad ffmpeg file files firefox firewall flash foss freedom ftp fun fuse git gnumeric graphics grep growisofs grub gtkpod hardware hardware html idiocy image imagemagick images installation ip iphone ipod iptables iso itunes ivman kde kernel keyboard knoppix lame laptop latex linux locale lockin longlines m4a microsoft mimetypes minitab mount mp3 mp4 mplayer multimedia music mysql network nfs nfs4 nmap openbox openoffice opinion opinion partition pdf perl php politics postgresql printing privacy programming rant remote rhythmbox rss rsync rxvt scp screengrab screenshot script scripting scsi security sed server shell siteadmin sitenews sitesoftware skype skype slackware sound sox spam spreadsheet ssh statistics subversion sudo svk swap t23 t43 terminal text thinkpad thunderbird time timezone ubuntu udev upgrade usb usbmount users uuid versioncontrol vfat video vnc windows wine wordpress wordprocessing X40 xwindows xwindows youtube
This post reveals why you need sudo, a program that allows a user to execute a command as another user, e.g. root.
Using sudo means you don't have to log in as root to run system-administration commands. It stops the temptation of type-and-be-damned approached to computing, and encourages you think before prepending a command with 'sudo'.
In particular, if you try to run a command and find you can't, it makes you stop and think before running it again with 'sudo'.
Sudo also logs every command, so you can see who did what.
Even better than that it allows fine-grained control over command that each user can run.
You should hardly ever have to run as 'root' and certainly hardly ever be in a position where you could type 'rm -rf /' without being forced to think what it means.
sudo is fine as long as the particular user can only execute a restricted list of commands. If sudo -l says ALL then it's in my opion worse than having a root account as you then only need somebody to gain access to your account password and they now can gain access to root. Personally for security and if you know what you are doing I prefer having a separate root account that's used as it's supposed to be used, ie only when really required for installing software system wide etc. With a typical user / root setup if somebody gained access to my home account ie they know the password they would have a lot more difficulty gaining access to my root account as it's password is a strong password of over 20 characters long.
sudo is useful for new users as long as it has a restricted command list.
Personally I prefer to use the traditional method and teach people NOT to run routinely as root.
Regards
Just to clarify, when I say sudo (with no restricted commands) is worse than having a root account I mean when root has no login (as in the case of ubuntu) ie your home account and sudo command use the same password, hence somebody manages to obtain to account password, because they now know your account password they don't need to know the root password to gain access to root. Under Opensuse sudo is available for users however unless you are in the list you have to provide the root password. To me having root login adds a second layer of security that sudo removes for convenience. Don't get me wrong, I use sudo and find it useful, ie in allowing some users restricted access to root. I'm not convinced unbuntu's method is more secure. I think they have basically used sudo to stop users running their desktop as root (not a good thing, unless you are aware of the risks!).
So in summary if you use the traditional distro that has a root login, DON'T run your programs as root, always run as a user and if you run ubuntu and use sudo (hopefully with restrictions on what you can do) then you should be ok unless somebody gains access to your account password, then they have system wide access presumably as sudo on ubuntu requires you to only enter your user account password and not a superuser password.
Regards
Nick, I agree with you. I think Ubuntu's way of doing things is a big security hole. It might be OK, on a desktop that is used only for recreation....but still.
I prefer to restrict sudo access to commands that users really need to run.
Stumble It!
Digg it
Reddit
Even me, sudo is helpful.
//Jadu
Posted by Jadu Saikia on 2008-11-30 09:58:08.