Sudo vs. Root

lessthan0 writes "In Mac OS X, the root account is disabled by default. The first user account created is added to the admin group and that user can use the sudo command to execute other commands as root. The conventional wisdom is that sudo is the most secure way to run root commands, but a closer look reveals a picture that is not so clear." The article is about OSX but the debate is a little older ;)

Layered Security

[Mattygfunk1]

The conventional wisdom is that sudo is the most secure way to run root commands, but a closer look reveals a picture that is not so clear.

The article doesn't say that sudo isn't the most secure way to run commands, it just details how to make it even more secure.

This just in:

[djh101010]

News flash: Sudo, like many other tools, has a configuration file, which allows you to customize it's behavior. Details will be provided as they become available.

C'mon, anyone with even a passing involvement with sudo has looked at the sudoers file. You can configure pretty much any group or role based permission you want; if you can describe it as a logical statement, you can do it in sudo. Yes, out of the box, you can sudo to a shell (or to an app which has a shell escape).

How To Become Root on OS X

[Synesthesiatic]

Last login: Tue Mar 21 10:44:32 on ttyp1
Welcome to Darwin!
Hunter:~ Adam$ sudo su
Password:
Hunter:/Users/Adam root#

This is on an unmodified install....woops I guess that root account wasn't disabled after all!

Re:How To Become Root on OS X

[beelsebob]

The root account is disabled by having the shadow password set to * - thus you can't enter a valid password for root. If you already are root (as in this case) you don't need to enter a password, and thus it allows you to do the command.

Re:Messed up sudoers

[petermgreen]

oh yeah not having physical access (or a serial console) means you have to be VERY carefull when touching certain parts of the config. This particular example can be avoided by having another way to get root but there are many others such as iptables, sshd etc

btw you don't need a livecd if you can get to the bootloader prompts, just use init=/bin/bash on the kernel command line and the box will drop straight into a shell. Type exec /sbin/init when you are done to resume normal boot.

Didn't we already have the wheel group for this

[SpaghettiPattern]

Didn't we already have the wheel group for this? No direct root login and only members of wheel can su to root. http://en.wikibooks.org/wiki/Guide_to_Unix/Explana tions/Becoming_Root

Re:Sudo is only useful when there are lots of admi

[Joshua+Cowan]

most admins get so irritated at having to type sudo before every command that they'll just sudo into a shell and be done with it

The BOFH patch for Bash works well for this scenario.

For a single-user system, sudo is pointless.

It is an effective way to eliminate root logins and encourage least privilege practices.

Re:Sudo is only useful when there are lots of admi

[Flwyd]

I'm the only user on my Linux laptop. My password is dead simple; I'm not worried about security -- the most likely people who might try to do something to my computer are other developers in my company, and they probably have a good reason.

However, I never run sudo su Why? Being forced to type "sudo" in front of potentially dangerous commands forces me to think a second time and make sure I'm not doing something stupid. If I type rm -r * and get prompted that I don't have access, you bet I'm going to double check to see if I'm in the right directory.

Re:Sudo is only useful when there are lots of admi

[goodchef]

Read the sudo manpage. After you authenticate for the first sudo command, subsequent invocations won't require a password for a set interval of time (default is 5 minutes, unless overridden in /etc/sudoers).

Re:Sudo is a tool not the entire solution

[Hieronymus+Howard]

4. Allowing non-human users (e.g. www) to execute a strictly limited set of commands as root.

For example, I have this command in my sudoers file:

www ALL = NOPASSWD: /sbin/ipfw add 2000 deny ip from [0-9.]* to any in

This allows apache to use /sbin/ipfw to add the ip addresses of script kiddies to the firewall. Note that only adding addresses to one particular rule (in this case rule 2000) is allowed - any other usage of ipfw will fail.

Alternate methods

[Spazmania]

I ran in to these kinds of issues back in the Solaris 2.2 days and came up with a different solution.

Solaris' problems were even more acute. Sudo was a download; it didn't come with the system. If you changed root's shell from the minimal Bourne shell the boot scripts would malfunction. More, root's home directory was "/". So setting up a personalized environment where you could use root access effectively was a pain.

The solution I came up with was a second root account. I just added another name with uid 0 using a seperate password, a seperate home directory and the ksh shell. Then I randomized the main root password, stored it away and promptly forgot it. I'd only need it for fsck on boot.

Later when I was in charge of multiple system administrators I gave each one their own root account. This let them set up their environment in a way that worked for them, it showed me who was using root commands when and it logged their commands to individual .bash_historys so I could see who screwed up.

It also means that like with sudo when a sysadmin leaves I don't have to change all the passwords. I just delete their account.

I still use sudo for folks who I don't expect to do much as root, but the sysadmins get their own root account.

Re:I, Root

[Aranth+Brainfire]

Same reason you're not supposed to log into Windows as an administrator all the time; if something goes wrong (security hole in a user-run program), or if you accidentally use the wrong command, your system isn't totally screwed (hopefully).

Windows actually has a similar feature, sort of- right-click on something and choose "run as...", then log in as an administrator.