Got Root - Should You Use It?

vegthura asks: "I have several coworkers that insist that logging into servers is an acceptable practice. They claim it's just easier than using sudo and it's just as safe - you know you're root so what else do you need? And why bother logging in as you if you're just going to use sudo to run commands with root privileges anyway? Everything I've ever read has been the exact opposite philosophy. There is very little you need to be root to do, if anything in practice, and using sudo lets you only use the power of root for when you really need it. So, die hard unix geeks, you've got root... do you use it or stick to sudo?"

Simple solution

[metamatic]

Disallow direct root login.

Re:Simple solution

[dshaw858]

I do this on all of my servers. And even more, there's this great command if you really need a root shell:
sudo su

Amazing, isn't it? You can login as you and still spawn a root shell if you really need to.

It's easier that way.

- dshaw

Re:Simple solution

[BrokenHalo]

I do this on all of my servers. And even more, there's this great command if you really need a root shell: sudo su

In that case, what benefit is there in disallowing root login? Seems to me that if you don't trust someone with root privileges, you simply don't give him the password - assuming, of course, that you don't have him down in /etc/sudoers as NOPASSWD:ALL.

As far as I'm concerned, when I'm working as admin on any of my machines, I prefer to log in as root simply because I prefer to forego the tedium of typing "sudo" in front of every command line. Sure, it means that I have to be a bit careful what I type (but I haven't trashed a root directory yet) but sudo isn't going to protect anyone from carelessness or stupidity.

Re:Simple solution

[drsmithy]

I do this on all of my servers. And even more, there's this great command if you really need a root shell: sudo su

Congratulations. You have now completely removed almost every reason for using sudo in the first place.

If all you use sudo for is starting a root shell once you've logged in, then save yourself the hassle and just login as root, because you're circumventing basically every benefit sudo offers.

Re:Simple solution

[jessecurry]

sudo su will just drop you into a root shell, but up until that point by forcing people to use sudo you gain a log of all the commands that they pass off with root privileges.
Unfortunately once someone gives the sudo su command all you see in the logs is an indication that some grabbed a root shell. I guess that it's a matter of personal preference, but I like the sudo method. I do login as root on occasion, but I like the extra warning that I might be breaking something with a chmod or mv.

Re:Simple solution

Confucious say: If you play in root, you will kill tree!!!

Re:Simple solution

[Dan+Ost]

You can configure sudo not to allow people to 'sudo su' or 'sudo bash'.

If you bother to read the sudoers manpage, you'll see that there's a lot
you can do with sudo without necessarily giving up complete control of the
root user.

Re:Simple solution

[Schraegstrichpunkt]

sudo -s

Re:Simple solution

[asit+ler]

actually, sudo -s kind of destroys the need for sudo su. And my vote is... I always use sudo, since it Just Works (tm)... Even if it is a bit annoying when I make 30 lines of changes to /etc/network/interfaces, and then go to save and vim says "read-only file" because idiot me forgot 4 letters. ;x

Re:Simple solution

Except for things like:
Log of initial login as real user, so there's a least some vauge accountability
Ability to disable direct root logins by not having a valid password for the root account
Ability to share root access without sharing root password

Granted, when practicle using sudo for individual commands is preferable, but there are times when getting a root shell is still the most appropriate action, and sudo is still useful even in those cases.

Re:Simple solution

[Jim_Maryland]

That might stop some people, but what about:

sudo vi /foo/bar/myfile.txt
:shell

Now I've gone from a vi as root to a shell as root.

Overall, the sudo method works well if you need to let someone have control to a one or more servers you manage without giving access to all the systems, especially if you keep the root password the same on all systems. Now with Solaris including RBAC, that may be an improved way to give certain access without opening the entire system. I haven't messed with it enough yet to know how easily someone can exploit it though.

Re:Simple solution

[Dan+Ost]

If you're going to give someone access to text editing but you don't trust them with
shell access, compile vi/vim/[editor of choice] without access to shell escapes. It's a
compile option for vim and, I would suspect, others. In fact, most new editors probably
don't even have a way to escape to a shell.

Re:Simple solution

[Fulcrum+of+Evil]

Now I've gone from a vi as root to a shell as root.

In a corporate environment, I could simply make that a sackable offense. What you're describing is a personnel problem, not a technical one, so it deserves a personnel solution. The root of the problem (heh heh) is that you're circumventing command logs when you don't have to, so it's at best a violation of trust. At worst, you're up to something nasty.

Re:Simple solution

[Jim_Maryland]

I realize policies can be put in place, but this won't stop someone who really wants to gain a root shell. While companies try to protect from the outside, just as much care must be given to inside threats.

personnel problem, not a technical one

This doesn't change the fact that some people will do this, regardless of their intention. When I first joined one of my employers, using the :shell in vi was pretty much a standard practice for the development team. They weren't using it because of malicious intentions, they just had occasions where it was convenient to not bother the system administrator (and most of the developers were as competent as the SA's anyways).

Re:Simple solution

[Fulcrum+of+Evil]

It's a foregone conclusion that you can get root if you're determined; the question is not preventing malicious users (though that is helped), but stopping people from doing it out of laziness. Sure, a lazy admin can get a root shell and go party, but do you really want him on your team?

Re:Simple solution

I always had to wonder about the point of sudo as opposed to logging in as root.

And then I realized the point.

sudo su - gives you a root shell using YOUR OWN PASSWORD. This means that you don't have to give a sensitive system access password out -- you can even auto-scramble the root password. Then, if you need to revoke a particular user's root access, you don't have to inform everyone about the new root password -- you just remove that user's sudo privileges. Similarly, if an account with sudo privileges is compromised, that account can be locked down without causing trouble for other users.

sudo can be configured to run without requesting a password; this is fine as long as you can guarantee that no privileged user will leave a logged in terminal unattended. If you can't guarantee this, don't allow it.

Sudo wins for me

[Smitedogg]

Using sudo, you can allow 'some' root commands to other users/admins without opening up the vault, and you can do a lot of smart things like keep root unable to be logged into, or have a true strong password that you can lock in a safe somewhere, all without losing functionality.

Re:Sudo wins for me

[ubersonic]

Might as well just link to the manpage ;)
SUDO(8)

Re:Sudo wins for me

[egarland]

Using sudo, you can allow 'some' root commands to other users/admins without opening up the vault.

It's even more useful than that. Using sudo you allow *time limited* root access to execute commands as root and only those you specify specifically to be run as root and each is logged. It drastically reduces your exposure. I use sudo most of the time on my own home server.

Re:Sudo wins for me

[Gopal.V]

Prevents shell from leaking env vars.

bash$ export LD_PRELOAD=/usr/lib/libsomething.so
bash$ sudo strace ls

and tell me whether what you got was expected or not :)

Root

[nagora]

The only reason to log into a server is to do admin work, which will require root. If there's something you are doing on the server that doesn't need root then you probably shouldn't be using the server for that.

I generally only have one user on servers and that's root. Everyone else can access it via nfs/samba/ftp/whatever, but only root gets login.

TWW

Re:Root

[FuzzyBad-Mofo]

Some people actually do development work logged into a remote server. In such cases it's simply good practice to have a separate login for each user. Of course, maybe the particulars of your situation don't require this--but your assertation implies that it's adequate for everone, which it certainly is not.

Re:Root

Sorry but that's bullshit. I have a SVN server with a devel group. The people in the devel group can admin the svn repos via ssh in case they need to but they don't have, and don't need, root access which only I and the other admin have. I can come with many other examples of situations like that one, e.g. Oracle servers where the DBA needs to log but doesn't need root access.

Re:Root

[nagora]

Oracle servers where the DBA needs to log but doesn't need root access.

I don't know about SVN but Oracle has applications which allow remote DB admin without granting shell access to the actual server.

No user should get a prompt on your server if you can avoid it. If you can't then obviously you'll have to give them a login account, but it's much better to not have users accessing the server directly if you can manage it.

TWW

Re:Root

[tha_mink]

No user should get a prompt on your server if you can avoid it.

I think that's the real point here. Nobody should need a prompt except the admin(s). I can't think of one reason that someone whould need a prompt, root or otherwise. Ok, I can think of a few but, the discussion shouldn't really be about root access but more about shell access in general. I suppose it all depends on what kind of machine we're talking about but with servers, db - file - etc, noboby ought to need a shell anyways.

Re:Root

[Richard+Steiner]

I log into servers to view application log files. I'd love to view that small portion of the filesystem remotely, but currently it isn't being exported in any way (making remote access just a tad difficult).

More than just root

[Sentry21]

Using sudo provides a host of benefits besides giving you root. Sudo allows you to grant access to specific users for specific commands, and then revoke those commands later. Compare this with giving the root password to everyone, which requires the password to be changed whenever someone leaves the company (or someone's root privs are revoked).

I can grant access via sudo to users for specific commands, without giving them complete administrative access to the entire system.

When I'm using 'sudo' to do things, my environment stays the same. This means that my $PATH variable stays the same, and so does my prompt. It means that any time I say ~ it refers to /home/myusername and not /root, meaning I can get to it later.

When I'm not using sudo and I do 'cd /var/www/certs/domainname/' and it doesn't give me an error, I know that the permissions are wrong on that directory (more of a reminder than anything). I've gotten so used to this on most systems that the series of commands I use to access the IMAP virtualhost directory is essentially 'cd /var/spool/postfix/virtual; sudo bash; cd /var/spool/postfix/virtual', which slows me down surprisingly not much.

It doesn't take much to hit the up arrow, Ctrl-A, type 'sudo ' and then hit enter if you find you need to.

I can set in ~/.bash_profile that I want rm to use -i by default (alias rm='rm -i') for safety, which carries over into my 'sudo' environment; doing this for root by default can cause e.g. cronjobs to hang, waiting for input that will never come.

The benefits of sudo are not limited to 'gaining root' - they are multitudinous, and apparently your coworkers have never considered versatility to be a benefit; nor, for that matter, have they done likewise for security. Perhaps they should be educated.

Re:More than just root

[akgunkel]

My hat is off to you sir. This may be the best, most intelligent answer to an "Ask Slashdot" question that I've ever seen. Bravo.

Re:More than just root

> It doesn't take much to hit the up arrow,
> Ctrl-A, type 'sudo ' and then hit enter if you find you need to.

That's good, but in bash, even easier:

sudo !!

Will do the same.

Re:More than just root

Bravo on a great answer. One nit:

> I can set in ~/.bash_profile that I want rm to use -i by default [...]; doing this for root by default can cause e.g. cronjobs to hang, waiting for input that will never come.

bashrc is only read by interactive shells, so this is not a problem

Re:More than just root

[Henry+V+.009]

There are benefits to using sudo, and depending on the situation some of those may become very important. But one con I'd like to point out is the dependence on the sudoers file. You can mangle a system (requiring a reboot to single-user) with one wrong entry. And if you are constantly editing it to give users fine-grained privileges, that risk is important to weigh against the benefits.

And if (as with my current job) you work someplace with:

1. Low employee turnover.
2. Lots of servers.
3. Few people with root access.
4. LDAP authentication for passwords to make changing the root password on all servers easy.

Then maintaining seperate sudoers files on every server is far more pain than it's worth.

Re:More than just root

[tek.net-ium]

Sudo allows you to grant access to specific users for specific commands, and then revoke those commands later. Compare this with giving the root password to everyone, which requires the password to be changed whenever someone leaves the company (or someone's root privs are revoked).

I can grant access via sudo to users for specific commands, without giving them complete administrative access to the entire system.

ssh keys, or kerberos can give the same advantages. Allowing root password ssh logins is just stupid.

When I'm using 'sudo' to do things, my environment stays the same. This means that my $PATH variable stays the same, and so does my prompt. It means that any time I say ~ it refers to /home/myusername and not /root, meaning I can get to it later.

I can set in ~/.bash_profile that I want rm to use -i by default (alias rm='rm -i') for safety, which carries over into my 'sudo' environment; doing this for root by default can cause e.g. cronjobs to hang, waiting for input that will never come.

Yeah, except that frequently servers have some other environment than your typical desktop (different OS or whatever), so you might need to set unique environments for each. Also, I usually want my servers functioning effectively as islands: I don't want them to have access to home directories, because my servers are typically publicly facing and are more likely to be comprimised.

The benefits of sudo are not limited to 'gaining root' - they are multitudinous, and apparently your coworkers have never considered versatility to be a benefit; nor, for that matter, have they done likewise for security. Perhaps they should be educated.

I find the versitility of being able to change an arbitrary number of servers at once far more beneficial than having to manually login to each and modify the same config file or whatever by hand. Sudo's also been affected by a number of security problems recently, which tend to allow your carefully constructed ACL's to be bypassed. See http://www.courtesan.com/sudo/security.html .

Re:More than just root

[Deorus]

> Compare this with giving the root password to everyone, which requires the password to be changed whenever someone leaves the company (or someone's root privs are revoked).

Create multiple UID 0 accounts with different passwords.

As for the rest of your post, I'd rather not trust the security of a server to sudo, firstly because it had security issues in the past, and secondly because it's not a trivial task to decide which commands a user can and can not have access to.

Re:More than just root

[texroot]

Good point about the convenience of LDAP and centralized authentication, though I'm not sure how I'd like having root login be dependent on LDAP.

As for the sudoers file being mangled, using visudo should check for correct syntax and not let you save the changes if they would render it nonfunctional.

Re:More than just root

[c0nman]

sudo bash ???

Do people actually do that? If you want a root shell it's sudo -s. But that is NOT the purpose of sudo. You want accountability on your server(s).

And as pointed out by another already, sudo !! or sudo !-2, sudo !-3, sudo !command... Understanding your environment should be one of the first things you learn.

user/server:/path$ vi /var/named/chroot/var/zones/master/d/domain.tld

"/var/named/chroot/var/zones/master/d/domain.tld" [New File]
user/server:/path$ ls -l /var/named/chroot/var/zones/master/d/domain.tld
ls: /var/named/chroot/var/zones/master/d/domain.tld: Permission denied
user/server:/path$ sudo !!
sudo ls -l /var/named/chroot/var/zones/master/d/domain.tld
-rw-r----- 1 named wheel 7185 Aug 6 2005 /var/named/chroot/var/zones/master/d/domain.tld
user/server:/path$ ^.^2.
sudo ls -l /var/named/chroot/var/zones/master/d/domain2.tld
-rw-r----- 1 named wheel 1121 Aug 6 2005 /var/named/chroot/var/zones/master/d/domain2.tld
user/server:/path$ sudo -s
root/server:/path# id -p
login user
uid root
groups wheel kmem sys tty operator staff guest
root/server:/path# ^D
exit
user/server:/path$ tail -n3 /var/log/secure
tail: /var/log/secure: Permission denied
user/server:/path$ sudo !!
sudo tail -n3 /var/log/secure
Apr 15 22:10:54 server sudo: user : TTY=ttyp1 ; PWD=/path ; USER=root ; COMMAND=ls -l /var/named/chroot/var/zones/master/d/domain.tld
Apr 15 22:10:55 server sudo: user : TTY=ttyp1 ; PWD=/path ; USER=root ; COMMAND=ls -l /var/named/chroot/var/zones/master/d/domain2.tld
Apr 15 22:10:57 server sudo: user : TTY=ttyp1 ; PWD=/path ; USER=root ; COMMAND=/usr/local/bin/bash

That's right, we don't have our user associated with our commands when in a root shell via sudo. There are patches and shells that will log this information, but they should not be needed. Correctly using the tools are as important as the tools themselves.

You will ALWAYS want to have individual logins for every administrator and TEACH your admin's howto use sudo correctly if they do not know already.

As for the original question: nobody should EVER login as root, EVER, PERIOD.

Re:More than just root

[BrynM]

Another advantage I love is logging. From my emailed Logwatch reports:

-- Sudo (secure-log) Begin --
===
brynm => root
---
/home/bryn/cron_scripts/xmla
vi /etc/mail/spamassassin/local.cf

That's me testing a cron script for eventual use and editing my spamassassin rules (yesterday). If I screwed something up, I'll what I did as root because sudo will log the command (look in /var/log). If anyone else did something, I'll know at 1AM when logwatch emails me the reports.

Re:More than just root

[Henry+V+.009]

There is nonfunctional and there is nonfunctional. Commenting out the wheel line can disable all root access (depending on your setup) and visudo won't help you with that.

Re:More than just root

[teknomage1]

Isn't the sysadmin's job to decide which commands a user can and can not have access to?

Re:More than just root

[JollyFinn]

As for the rest of your post, I'd rather not trust the security of a server to sudo, firstly because it had security issues in the past, and secondly because it's not a trivial task to decide which commands a user can and can not have access to.

rm -rf /

bash -c select X in ls /* -A; do{ select Y in ls X; do 777 > Y ;cd ..};#My first shell script probably buggy but gives idea what it should do

emacs -f (delete (recursivegeneratepathtoallfiles "/"))

vi -c #Too tired to do the damanging function but still it could be done.

rm, bash, emacs, vi, are out of limits expecially last 3 since those 3 can generate what ever sequenceas you could consider. There are plenty of other programs that should be out of limits for normal users to get sudo.

Re:More than just root

[Sancho]

ssh keys, or kerberos can give the same advantages. Allowing root password ssh logins is just stupid.

How do ssh keys allow you to restrict the commands that can be used?

As for the sudo advisories.... well 8 in five years isn't all that bad, and most of them are somewhat common sense (let someone execute a scripting language and yeah, it's probably going to be somewhat insecure).

Re:More than just root

[Wolfrider]

> It doesn't take much to hit the up arrow, Ctrl-A, type 'sudo ' and then hit enter

--Doing that while running the " screen " program is not recommended, and may cause unpredictable results.
:b

Re:More than just root

Actually, it's quite predictable. It will send an XOFF command, which may wreck havoc with your terminal.

In screen, you would do: up arrow, Ctrl-A, a, sudo, enter

Re:More than just root

[Bronster]

which is why I use:

sudo !!

Re:More than just root

[lintux]

Compare this with giving the root password to everyone, which requires the password to be changed whenever someone leaves the company (or someone's root privs are revoked).

You're in trouble anyway if the person leaving had enough privileges to do something like this:

cp /bin/sh ~/bin
sudo chown 0:0 ~/bin/sh
sudo chmod u+s ~/bin/sh

It's pretty hard to put useful limits in sudoers...

Re:More than just root

[geminidomino]

Maybe it's just me, but I think that if you can accidentially comment out the sudoers wheel line, then you shouldn't be allowed anywhere NEAR a raw root shell anyway...

Re:More than just root

[Znork]

"Sudo allows you to grant access to specific users for specific commands,"

Perhaps a nitpick, but be _very_ careful with that slight misconception. The correct statement would be:

Sudo allows you to grant root (or other) UID to specific users for specific commands.

On the surface it appears a slight distinction, but it means that seemingly innocent commands like vi or more lets users do shell escapes to obtain root shells, cat with sudo priviliges can allow them to overwrite passwd, etc.

Basically, while using sudo, it's safest to assume that any user granted access as root for any command through sudo can obtain general root priviliges, should they so desire.

Re:More than just root

[Bert64]

So i assume you also won't trust the security of your server to an even greater degree to an OS that's had security issues in the past...
So, what OS are you running?

Re:More than just root

[Mark+Round]

Sudo can use LDAP as well. Why not leverage that if you're using LDAP anyway ? You can then store all your sudo information in one central repository; no more maintaining hundreds of individual files...

Re:More than just root

[tek.net-ium]

How do ssh keys allow you to restrict the commands that can be used?

see sshd(8)
~/.authorized_keys: command="/sbin/reboot" ssh-dss AAAAB3 ....

Re:More than just root

[Sancho]

Interesting, but how is this more secure than sshing to the box as a regular user and using sudo? Isn't key management in this form harder than editing the sudoers file? Imagine a situation with 10 administrators--you either need 10 keys (one per administrator) per command or you need one key per command and revokation/redistribution of keys whenever you need to revoke access to a command.

Re:More than just root

[tek.net-ium]

ssh keys are less prone to mistakes because you're not doing everything manually if you've got several servers: under your scheme you need to manually ssh to each machine then manually run sudo to modify something. if you manage over 3 machines, this is a complete waste of time and makes you slow to respond. you can allow junior admins to have access to a specific subset of commands by sharing keys on a golden host. allowing the user's public key (or kerberos, preferably) can be used for full root access on certain machines. also, since when is revocation hard? you have to modify the authorized_keys file, which is just as much work as modifying the sudoers file. i fail to see the difference. also, you ignored the claim that having user directories mounted on servers is a bad idea in the event the server gets compromised: whoever compromised that machine now has your password, which is the only authentication token required to get root on other machines.

Re:More than just root

[PygmySurfer]

You will ALWAYS want to have individual logins for every administrator and TEACH your admin's howto use sudo correctly if they do not know already.

You can teach your admins all day long HOW to use sudo correctly, but if they find it EASIER to simply run "sudo su" or "sudo bash", and you don't go through the trouble of limiting what they can do with sudo, they're going to do it.

Re:More than just root

[Christopher+Cashell]

Have you ever managed to get it working on RHES4?

I've got LDAP enabled sudo working beautifully on our RHES3 boxes, but for some reason it doesn't actually work on the RHES4 boxes. Very annoying, and slowing deployment of RHES4 for us.

(No, I haven't filed a bug report for it, or spent more than an hour or two poking around ith this problem. It's on my to-do list, but I haven't gotten to it yet. ;-)

Re:More than just root

[mkiwi]

What's with this: rm -rf /?

Make a Statement when you delete the root directory:

# rm -Rf /

:)

Re:More than just root

[cloudmaster]

What the heck, use them both!

# rm -Rrf /

Or maybe even all three, while we're feeling bold

# rm --recursive -r -R -f /

Something about a recursive rf removal sounds even more exciting than normal...

Re:More than just root

[dotgain]

Not only that, one day, on another system he hasn't yet aliased rm to 'rm -i', he'll fire the command, and wonder why he hasn't been asked, while it silently does its work.

I never alias rm to 'rm -i'. In all of my UNIX history, I've once blown away my /usr tree in my first week of learning (mean to delete my temporary copy in /root/usr), and once deleted a file I would later need (where I would have said "yes" to rm -i anyway).

I believe an rm -i default is a bad BAD BAD thing.

Re:More than just root

[JollyFinn]

Man rm:

              -r, -R, --recursive
                            remove the contents of directories recursively

Re:More than just root

[cloudmaster]

Coomenting out the wrong line in pam.d/system-auth can lock everyone out, and having a local root account won't help. :)

Besides, any time you edit anything in /etc related to system authentication, you should already have a root shell opened up in another terminal ready to go - that way, even if all auth breaks, you have a shell you can use to fix it. That's the only time I feel good about being logged in as root (even though it's usually a "sudo su -" and not a terminal login)...

Re:More than just root

[sjames]

Isn't the sysadmin's job to decide which commands a user can and can not have access to?

It's not always that easy. Many commands when run as root can be used to gain further root access. The simplest example is an editor that has a command to suspend and give a shell. Other examples would be redirecting output to /etc/shadow, or setting up a link so that some other sudoer or root account will unintentionally run a script.

There are enough corner cases that it's probably better to just assume that any sudoer is free to do "sudo su -" and to not make anyone a sudoer if you wouldn't trust them to login as root.

Sudo

[doon]

I even use sudo on my *nix boxes @ home. I am a firm believer in sudo. mainly since if I do something stupid with it, I have a log of what it was. We also use sudo at work on all of our boxes(40+), to me it just makes it easier, and makes for one less password to remember. ALso the majority of tasks that I need to do, I can do as myself, there are some tasks, such as restarting services,etc that I need root to be able to do, so as opposed to su'ing over to root, (we don't allow root logins), it is just as easy to sudo the command. Once we get around to hiring a Jr admin, we will use sudo to limit what they can access.

I stick to sudo

[gzearfoss]

I personally stick to sudo. The main reason why is to protect me from myself, more than anyone. Because I have to prefix the command with sudo, it serves as a 'mental brake' to slow down my typing, and double check what I type before I run it.

Re:I stick to sudo

[Rinisari]

I personally stick to sudo. The main reason why is to protect me from myself, more than anyone. Because I have to prefix the command with sudo, it serves as a 'mental brake' to slow down my typing, and double check what I type before I run it.

(Quoted for Emphasis) (and bolded, too)

Re:I stick to sudo

[Tragek]

See; in theory, its a great idea. But by the same principle that some nerds start typing digg when they mean dig, and del.icio.us when they meant delicious, I manage for the most part to disable the mental brake that stops me from using sudo wishywashily. I type sudo rm -r * with the same ease that I type rm -r. My hands muscle memory once started is faster than my brain. I guess I just have to trust that my initial aim is true.

Re:I stick to sudo

[Zorandler]

I know what you are saying...but when the sudo p/w isn't cached (i.e. I haven't completed a sudo command recently) it also gives a little more time to think while I have to type my password again...wait a second, why do I need root privs here?? I find that if I'm jumping onto a server for a quick command that needs sudo, I'll either forget and type the command without sudo which will make me remember oh yes, I need sudo for this...better be careful....or I'll have that prompt for my p/w which will also remind me that I'm executing with root privs and better double check the command I just entered.

Re:I stick to sudo

[jgrahn]

I personally stick to sudo. The main reason why is to protect me from myself, more than anyone. Because I have to prefix the command with sudo, it serves as a 'mental brake' to slow down my typing, and double check what I type before I run it.

The '#' at the end of the prompt is my mental brake.

Use sudo rarely?

[JTD121]

I am no Unix/Linux guru by any means, but in a default install of say, Debian, or Ubuntu, to open a number of programs I need to use sudo quite a bit to set it up. Maybe I am missing something somewhere, but the 'use sudo if you absolutely need root' is crap.

Then again, I am quite a newbie either way.

Re:Use sudo rarely?

[techno-vampire]

Maybe I am missing something somewhere, but the 'use sudo if you absolutely need root' is crap.

You are. The right way to say it is, "Use sudo if you only need to run one command as root; log in as root only when you're going to need to do a number of things that require root."

As a side-note, somebody upstream noted that sudo doesn't change your environment, but becoming root does. If you don't need root's environment, just use su, instead of "su -" and you keep your current location, $PATH and other things.

Re:Use sudo rarely?

[BobPaul]

On both my Ubuntu box at home and Gentoo servers at work, logging in as a user and then issueing "su" (or "sudo su") causes the environment variables to be the same as if I logged in as root directly, so I'm not sure what you're referring to.

Generally, I use sudo, even if I have a lot of commands to do. I feel it's a better idea as every command I enter is in just one log. Anything I do with "sudo" is in the system log while anything I do with su is in /root/.bash_history, which of course, is more volatile. For logging purposes, especially if there are many administrators who have access to the server, sudo is just more organized, there's just one place to turn if things aren't working, plus you can identify the individual.

Get a programmable keyboard and program a key to macro "sudo " for you or even "[Up][Home]sudo [Enter]" if you have trouble with the extra 5 characters you occasionally need. Or us an alias like s=sudo if your cheap. I recommend the keyboard. (You can even put your password on CTRL+ALT+SHIFT+F12 to make things easier)

~$ [F1]rm -rf /
Password: [CTRL-SHIFT-ALT-F12]

Re:Use sudo rarely?

[techno-vampire]

Check out the man page for su. If you enter

su -

you become root, in the same directory as you were in, without running root's login scripts. Of course, that means that you probably don't have /sbin on your $PATH, but if you're just installing software, you shouldn't need it.

Re:Use sudo rarely?

[FuzzyBad-Mofo]

What kinds of programs do you need to run as root? If it's really necessary, you can "sudo su" in order to get a root prompt without actually logging in as root.

Re:Use sudo rarely?

A programmable keyboard? What on earth do those give you that simply altering the keymap doesn't? After all, the keyboard simply sends numbers to the computer, it's up to the operating system to interpret which symbols come out. That's why you need to choose the keyboard layout when installing linux, and those keyboard layouts are simply files listing the number-symbol correspondence.

Re:Use sudo rarely?

[Ash-Fox]

> you become root, in the same directory as you were in, without running root's login scripts. Of course, that means that you probably don't have /sbin on your $PATH, but if you're just installing software, you shouldn't need it.

[ash@Tapestry ~]$ echo $PATH /usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/usr/g ames:/home/ash/bin
[ash@Tapestry ~]$ su
[root@Tapestry ash]# echo $PATH /sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/ local/bin:/usr/local/sbin
[root@Tapestry ash]# exit
exit
[ash@Tapestry ~]$ su -
[root@Tapestry ~]# echo $PATH /sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/ local/bin:/usr/local/sbin
[root@Tapestry ~]# exit
logout
[ash@Tapestry ~]$


By the way, the package management utilities in my distro are lcoated in /sbin.

Re:Use sudo rarely?

[BobPaul]

No thanks, manpages are for nubs ;)

bobpaul@venus ~ $ echo $HOME /home/bobpaul
bobpaul@venus ~ $ su -
Password:
venus ~ # echo $HOME /root
venus ~ # exit
logout
bobpaul@venus ~ $ su
Password:
venus bobpaul # echo $HOME /root

Doesn't look like it does it, though.

Re:Use sudo rarely?

No thanks, manpages are for nubs ;) ...but reading the man page would have cleared this up nicely.

Try 'su -p'.

Re:Use sudo rarely?

n00b

It depends...

[D'Arque+Bishop]

For me, it all depends on whether or not the machine is one I directly own or control.

If it is one I personally own or am more or less directly responsible for above anyone else, then I use root if needed.

If it's one that I don't personally own or I'm reporting to someone else who's ultimately responsible for the machine, I don't ask for the root password and request sudo access instead. That way, there's a log of my actions so I can go back and show exactly what I was and wasn't responsible for doing. Showing accountability is key when you're in a position of trust, IMHO.

Just my $.02...

Re:It depends...

[anticypher]

On machines that are not owned by me, but where I can influence the security policy, sudo is the only mechanism I permit. The only root logins are on the console (since they are all stuck in data centres, phyical access is very limited). Forcing sudo causes more responsible behaviour on everyone's part, and knowing that commands are logged, admins tend to think a little more before blowing the system away. On machines where I've enforced a sudo only policy, reliability goes way, WAY up.

On my own machines, I still use sudo, but it tends to be 'sudo bash', and I change the color of the xterm to red-on-black so I know it's root. Not the best practice, but I've made enough expensive mistakes in my past to be overly cautious most of the time.

the AC

Re:It depends...

[Ash-Fox]

> Forcing sudo causes more responsible behaviour on everyone's part, and knowing that commands are logged, admins tend to think a little more before blowing the system away.

I can blow a system away with sudo while whiping out the log too. Sudo can't stop me if I truely wanted to.

The biggest reason

The biggest reason not to use root as your actual login shell is to prevent virus infections from being possible.
    If you're a "normal" user, you don't have write privledges to the executable files of your applications - that means that a virus can't make changes to it, and can't infect it, unless you are stupid and log in as root all of the time. Remember: Install as root, run as a normal user. It's the whole reason you never hear about _ACTUAL_ UNIX viruses on the loose - just "proof of concept" scare tactics from antivirus companies. The separation of administrative privledges from normal user privledges is one of the things that make UNIX type systems a hostile environment for a virus.

Ask slashdot;

[jericho4.0]

My brother insists it's safe to turn off a computer by pouring beer on the power supply. Everything I've ever read has been the exact opposite philosophy. Who is right?

Re:Ask slashdot;

Mod this up

Re:Ask slashdot;

[bevo14]

Of course it is safe. Just stand back.

Re:Ask slashdot;

I think that the primary question is what type of beer. Budweiser, et al, should not be a big problem as they are no different than water. A good stout might prove too thick for the average PC cooling fan to seize. Using Root Beer might be the best option : )

Re:Ask slashdot;

[enrgeeman]

not root beer, sudo beer!

Re:Ask slashdot;

My apologies. I stand corrected. A quick question...is Sudo a Japanese or Chinese brewer?

Re:Ask slashdot;

Depends on the quality of the beer

Re:Ask slashdot;

The exact opposite philosophy? You mean turning off beer by pouring computer into its power supply?

Re:Ask slashdot;

[EZLeeAmused]

Your brother is right. It is safe and effective to turn off a computer by pouring beer on the power supply. But it only works once. And after it does, you really wish you still had that beer.

Re:Ask slashdot;

[LocoMan]

I found that specially funny considering that "sudo" is spanish for sweat... :)

Re:Ask slashdot;

[OldManAndTheC++]

Surely it is best to drink the beer and then urinate on the power supply. Admittedly this increases your risk of electrocution, but at least you are not wasting beer!

P.S. you seem to have found an exception to my sig ...

I'm a loner, Dotty.

[supersocialist]

It's not what you do as root... it's what malware running without your knowledge does with root. Obviously. That said, I'm running XP, so in the end it's "not root is safer, but I like to live dangerously."

Re:I'm a loner, Dotty.

[delire]

You're a Socialist running XP??

C00l! I'm a 35 year Anglican and Biological Weapons Engineer living in Morocco. I like Burzum, Vegan cuisine and greyhound racing!

sudo...

[stoney27]

I think you should use sudo, besides cutting down on the "oops I typed that command as root" mistakes. It also logs all commands run as root. Well when you run sudo . Even if you don't look at the logs that much. It will give you a record on who fixed what and when. Just incase something does go wong.

-S

ps hi joe!

It's all about logging

[forsetti]

Given rich ACLs, there is really very little that needs to be done as root. However, when root is needed, it is important to remember that there is only one root. On a machine with multiple admins, how do you tell who logged in as root? The sudo log entry tells all:

Apr 15 22:05:41 linux-black sudo: matt : TTY=pts/0 ; PWD=/home/matt ; USER=root ; COMMAND=/usr/bin/tail /var/log/auth.log

sudo is valuable if only for the logging. Yes, you can limit what can be done using the sudoers file, but logging who did what is invaluable.

Re:It's all about logging

[(H)elix1]

And to play devil's advocate, this is exactly the reason to log as root. You sudo and hork something up, they can tell exactly who did it...

And to play devil's advocate, this is exactly the reason to log as root. You sudo and hork something up, they can tell exactly who did it... (grin)

Re:It's all about logging

[Deorus]

> On a machine with multiple admins, how do you tell who logged in as root?

Disable root logins completely and have everyone su to root whenever they need super-user privileges. PAM allows you to do this.

Re:It's all about logging

[dvanduzer]

This can work in small environments, but on busy machines where numerous users are performing administrative tasks that require root privileges, it becomes difficult if not impossible to tell which "root" ran which command. In larger environments, this is essential.

Re:It's all about logging

sudo bash any subsequent commands dont show up in the log ( from my experiance with ubuntu ) , so all they can tell is you went into a root shell, not what was done

Re:It's all about logging

[jZnat]

Dude, I think you ssh'd into my machine and read that out of my log files! :(

Re:It's all about logging

[MstrFool]

>>Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'

  Clearly you have spent more time with firefox then with a woman. A woman can quite effectively block pop-ups. There is the cold water trick, long lectures about toilet seats and the ever popular 'point and laugh' method. And unlike with a woman, with firefox you can get a virus just by looking.

Re:It's all about logging

[jrockway]

> sudo is valuable if only for the logging

$ sudo rm -rf /path/to/the/bosses/files

$ sudo rm /path/to/the/log

$ sudo bash -c 'echo "Apr 15 22:05:41 linux-black sudo: person_you_hate : TTY=pts/0 ; PWD=/home/boss ; USER=root ; COMMAND=/bin/rm -rf /path/to/the/bosses/files" >> /path/to/the/log'

$ logout

Yes, yes it is.

(Even if you syslog to a remote machine, we all know that UDP can never be forged... especially by root.)

Re:It's all about logging

[lord+sibn]

$ sudo bash -c 'echo "Apr 15 22:05:41 linux-black sudo: person_you_hate : TTY=pts/0 ; PWD=/home/boss ; USER=root ; COMMAND=/bin/rm -rf /path/to/the/bosses/files" >> /path/to/the/log'

you do, of course, realise, that this command will be appended to your freshly deleted log?

Re:It's all about logging

[macdaddy]

Create multiple UID 0 users (one per root-privileged sysadmin). Compile Bash w/ syslog support. Point your syslog @ a remote syslog machine. Piece of cake. This has numerous advantages IMHO. It gives each user their own shell history. Every user has their own shell environment (PS1, PATH, etc). It gives all the root users access to common root mailbox. I will warn you though that vlock is not smart enough to deal with this setup. A user will still have to use the password of the main "root" user to unlock the shell after using vlock.

I know some large Solaris shops that give admins (senior and junior admins) root privs by simply adding their SSH RSA public key to root's authorized_keys(2) file. Then the admins can "ssh THEIRROOTUSERID@localhost" to get root privs. Ideally you'd prohibit remote root SSH access. To work around this run SSH on a non-standard port and use a host-based ACL to restrict access to that port to only localhost. Whenever they need to revoke root privs the administration simply remove the person's public key. No one ever needs to know root's password this way. No one needs to memorize a new password everytime a person's root privs get revoked. The same vlock problem applies here too.

I use both method. In fact I tend to use both method together. I create a UID 0 user for each of my admins. I use the SSH key trick for getting my admins logged into those root-privileged accounts. I use a simple .bash_logout script that archives the current history output to a timestamped file. I use the SYSLOG patches on a custom install of Bash. It's quite a slick system.

Re:It's all about logging

[cloudmaster]

Why would you use a host-based ACL to block access to ssh when you can just make ssh listen only on the loopback interface to begin with?

Also, what good is it to give each user a separate UID 0 account if you have to give them all the "real" root password anyway? Never mind all of the other nuiscances that come up when you have multiple accounts using the same UID...

Using sudo mitigates all of those problems, while retaining each user's distinct account settings. All the while, it's easier to administer and doesn't require everyone to use the same hacked-up shell.

What you've done is like solving the problem of how to automatically shift gears in a car by rigigng up a system of levers and pulleys to a manual gearbox (note, sometimes it won't work, so you have to manually shift), when someone already invented a flawless automatic transmission you could've used instead. :)

Re:It's all about logging

[macdaddy]

Why would you use a host-based ACL to block access to ssh when you can just make ssh listen only on the loopback interface to begin with?

My solution involved running 2 SSH daemons. One accepts all connections on the default port but does not allow root logins. The other allows root logins but can't be remotely accessible. You could run the second daemon bound to localhost. I had a good reason why this wasn't the ideal solution but I forgot it while writing the replies below. Anyhow it's doable but isn't much less effort than running it on tcp/2222 and adding a couple lines to your iptables config.

Also, what good is it to give each user a separate UID 0 account if you have to give them all the "real" root password anyway? Never mind all of the other nuiscances that come up when you have multiple accounts using the same UID...

Why would you give them the root password? My comment didn't say I was giving them the root password. It's not required for all of these users to have the root password, or any of these users for that matter. I've been using this setup for better than 10 years on Solaris and various flavors of Linux (cherry, lemon-lime, marshmallow) and have only found the vlock caveat. Everything else has been smart enough to deal with it. Even the wtmp logs the real userid and not just the first userid associated with a given uid. I don't know if this is a POSIX thing or not but almost everything I've worked with has been written to take this into account. I admit it still surprises me to this day.

Using sudo mitigates all of those problems, while retaining each user's distinct account settings. All the while, it's easier to administer and doesn't require everyone to use the same hacked-up shell.

We haven't actually documented any problems yet. The root password problem is non-existent. The second SSH daemon works either way. vlock isn't really important (and there's numerous patches to resolve the issue anyway). I've used sudo as well. It's nice. I can't think of a large shop that uses it, but it's still nice.

Every single root user in my set up has distinct account settings. They share very little (basically the root mailbox is all). $USER is set to "root" on GNU/Linux. I forget what it is on Solaris. $MAIL feeds off $USER. 'logname' can easily be used to fixed both though, if that's desired which is hasn't ever been in my experience. There isn't any "hacked-up shell" to deal with. The root users can pick from whatever is installed. They're root; they can install the shell of their choosing (if they're willing to face the wrath from me for installing ksh... grrrrr...).

What you've done is like solving the problem of how to automatically shift gears in a car by rigigng up a system of levers and pulleys to a manual gearbox (note, sometimes it won't work, so you have to manually shift), when someone already invented a flawless automatic transmission you could've used instead. :)

It's funny you should mention that. I hate automatic transmissions. They're a waste of steel (now aluminum). I greatly prefer a stick shift. You actually get better mileage with a stick if you know how to shift properly. You could always reprogram your auto with chip that is written with mileage in mind but most are meant for performance. I prefer to control my vehicle and not have some pain in the ass computer do it for me (unless I have control over the computer). My first vehicle was a stick as was the old '65 Jeep truck in which my grandfather taught me to drive. That wagon is the closest photo I can find of the old Jeep. The front end is the same as is the interior (red). I can't find a photo of a real '65 truck though. We still have the Jeep.

Back on topic. Sudo and this SSH solution are both good. Both have their uses. If I have a set of users that I want to only have access to certain comamnds then I'll use sudo (or write a nice shell wrapper). However if I have a sysadm that nee

Re:It's all about logging

[cloudmaster]

My comment didn't say I was giving them the root password.

You mentioned needing the real root account for root's mail reading, and for locking. I guess that just implied that everyone gets the password - it's where I got that from.

There isn't any "hacked-up shell" to deal with. The root users can pick from whatever is installed.

Yeah, but then you lose the logging if they're not using the special Bash. They can pick a shell *and* still have the logging with sudo. :)

I can't think of a large shop that uses it, but it's still nice

I'm normally not big on dropping names, but: Until tomorrow (end of contract), I work for Intel (but do not speak for them), specifically as a Linux sysadmin on production and pre-production systems used for application benchmarking in a clustered environment. I'd consider "Intel" to be a rather large shop. We use sudo extensively in our work (there are usually at least two people with admin access on a given cluster). It's been almost a year since I last did the "systems administrator security training course", but as I recall, the use of sudo is specifically required in the corporate security guidelines, and the use of multiple acocunts with shared UIDs is explicitly prohibited. The rational is that shared IDs do not provide accountability for user activity.

From what I know about the even larger Fortune 50 company I'll be working with starting next week, sudo is also used. So, there's a couple of examples for future reference. :)

As far as sudo being "babying", any competent admin knows that "sudo -s" or "sudo su -" will get him access to the root account when neccesary. He'll also know that it's almost never necesary. As far as I'm concerned, knowing about *nix's reliance on UIDs to uniquely identify users and then taking advantage of that internal knowledge by creating multiple "users" with the sameID is just a kludgy workaround for which a "proper" solution exists. Never mind that there are now *two* accounts per admin, greatly increaseing the places to mess something up. Sudo is one good solution that maintains the UID "black box" without the ugly hack feel. Both work though, I suppose, and I'm obligated to tell people that "it works for you" is more important than "it's what I'd do", but I've yet to see any benefits to *not* using sudo. Only alternatives... :)

To maintain the offtopic discussion at the same time:

You could always reprogram your auto with chip that is written with mileage in mind but most are meant for performance.

Actually, most automatic transmission reprogramming I've seen will help both mileage and performance. When reprogramming automatic behavior, typically you'd want to shorten shift times, increase line pressure for firmer shifts (and less slippage in general), and move shift points around. The first two changes you can also get by installing a shift kit - and they help with both mielage and performance. The factory extends shifts to make them softer, both to lessen stresses on internal parts *and* to decrease driver perceptions of harshness. You can tighten things up quite a bit without overstressing internal parts, usually.

The other thing tuned is shift points (and potentially convertor lock-up points). Any ECU that controls a transmission is going to have a table of shift point v/s throttle position. Since I'm a GM guy, I'll point out that the TH20-4R (starting in the early 80s, was on things like the Buick Grand National) and the 700-R4 (pre-'87 they sucked, then the name was changed to 4L60 in the 90s) use a cable attached to the throttle to vary shift firmness and RPM level based on throttle position (and sometimes engine vacuum). Later electronic trannys, like the 4L60E in my '95 and '96 Caprices, and the 4L80E in larger trucks, use a throttle position sensor. But the point is that a modern automatic can be more consistent than a stick driver (why do bracket racers all run auto

Audit Trails

[quan74]

One word (ok two words) - Audit Trails. If *everyone* has root's password, you have no audit trail of who used it, at what time, etc. Sudo access gets logged, both the command and the user calling it. Granted if their intent on accessing the system was malicios they'd have the power (as root) to modify the logs, but if you are remote logging, or if their intention wasn't "purposely" malicious you'd have a trail.

IMO the best practice would be to keep the root password a closely held secret, and give other users requiring root access sudo, and possibly remote syslog to a machine those users don't have root privs on.

Re:Audit Trails

Remote logging helps, but may not help in tracking down a malicious attack. Since it only logs commands, you could run a script called "update_sql" that actually installs a cron job that would nuke the system in two days. The lesson is that you shouldn't give sudo to someone you wouldn't also trust as root -- it's more of a protection against stupidity than anything else.

Turn Off Remote Root

[Erwos]

Whatever you do, DO NOT allow remote root logins. Ever!

root is the one account that attackers can be reasonably sure exists on your computer. Allowing remote access to it allows them to hammer it with dictionary, brute force, and social engineering attacks from relative safety.

If you're the only admin on the computer, su into root is fine - if anything goes wrong, it's your fault anyways. Otherwise, use sudo to maintain high levels of auditability and least privileged access.

-Erwos

Re:Turn Off Remote Root

[libra-dragon]

I'm lazy and like to scp files as root --it helps adminstration. I guess you could just rename the root account to keep remote logins. I've never tried this, but I wonder if there's any flavors that have a specific dependency on the actual UID 0 being named "root". With that said, you could do what others mentioned and create duplicate UID 0 accounts.

If you're needing remote root login, set PermitRootLogin to "without-password" and use keys. I know key administration is a real PITA, but it's easy if you have a utility server that you can use as a jump host for root logins. Keep the root private key on the utility server and hop from it when you need root (remote) access. This way all of your root key management is done in one place.

Another lazy thing I do is "sudo su - root -c bash". This works best when the NOPASSWD option is used in sudoers. This of course blows away logging, but you can still see who's logged in...

While we're on the subject of security... Keep your email addresses and your logins different. I've run across so many people who have their email address listed in their whois technical contact info and this just so happens to be their unix username as well. Don't make it easy for brute force attackers by giving them your username.

Re:Turn Off Remote Root

[WasterDave]

I agree, with one exception. On development+gateway boxes it's good to be able to do ssh -Y as root so you can start ethereal as root and see WTF is going on with the network. If you ssh in as yourself the su over to root you lose the X11 tunnel for reasons I don't have the time to investigate.

If there's a cunning/easy way around this, I'm all ears!

Dave

Re:Turn Off Remote Root

[kestasjk]

If you're talking about corporate environments with multiple admins then fine, but at home I allow remote root access, and as long as you have a secure password you'll be fine. No remote root logins ever, in big caps, is too much of a generalization.

The accounts you have to watch out for are the ones which you might not think of, if you check your auth.log for attacks (I get one every couple of days) you'll see them attack accounts like 'test', 'admin', 'ftp', etc (and root too of course). They go for the 'forgotten' accounts.

The difference is anyone will know to keep a secure root password, but most people will be less sure about whether their ftp account has a password, or whether they removed that test account they installed, etc.

Re:Turn Off Remote Root

[mcrbids]

Whatever you do, DO NOT allow remote root logins. Ever!

Unless you login via SSH with RSA keys

root is the one account that attackers can be reasonably sure exists on your computer. Allowing remote access to it allows them to hammer it with dictionary, brute force, and social engineering attacks from relative safety.

Not if you're using RSA keys.

Whether to use sudo depends on your role within your organization. I'm the sole admin of a small company, so I use root. If something stupid was done, it'd come right back to me, anyway, so what good is the logging?

And, I don't bother with passwords - they're too easily guessed and too hard to remember, and trying to keep 31 different passwords for NNN account on YYY server gets crazy real fast.

But, with RSA keys, I have no passwords to remember, and furthermore, I'm all but invulnerable to dictionary attacks and the like. I'd further recommend moving your SSH daemon to a funky port, so that automated scans don't see your potentially vulnerable hole.

My Linux laptop has RSA keys set up for each server, so it's a single command to become root on any server.

We just hired our first tech employee, and I can assure you that *he* won't be getting so much rope for a while - he'll be using sudo *IF* he needs root power, and then only on the dev server. Eventually, if he steps up to the plate, I'll gie him some more administrative privs, but that's a ways off...

Re:Turn Off Remote Root

[fimbulvetr]

If you ssh in as yourself the su over to root you lose the X11 tunnel for reasons I don't have the time to investigate.

Well if you do "su" without a "-", it inherits your ENV but then your XAUTHORITY is messed up. Doing export XAUTHORITY=/home/`user I was before`/.Xauthority can solve this.

If you're doing "su -", the - overwrites your ENV with whoever you just su'd too, so you lose your DISPLAY variable(generally localhost:0.10 with -X/-Y).

Re:Turn Off Remote Root

[Ash-Fox]

Interestingly enough, I've ssh'd to my mandriva server, done a "su -", then "drakconf" and the x application started up on my screen.

I don't permit root logins on SSH and my login administration name has no password prompt for when I do a "su -" (pretty much what I call a 2nd tier admin account).

I believe the reason why X and such isn't getting forwarded is because of SELinux patches, which are common in SuSE, Redhat, Fedora core.

Re:Turn Off Remote Root

[Homology]

I agree, with one exception. On development+gateway boxes it's good to be able to do ssh -Y as root so you can start ethereal as root and see WTF is going on with the network.

You should consider using something else than ethereal. That program was removed from the OpenBSD ports tree due to bad security track (remote exploits) and authors unwilling to do something about it:

Revision 1.91, Wed Jul 14 21:52:25 2004 UTC (21 months ago) by pvalchev
Branch: MAIN
CVS Tags: HEAD
Changes since 1.90: +1 -1 lines
FILE REMOVED

Remove ethereal from the ports tree. Right during 3.5, it had more than
a dozen remote holes being fixed, that we shipped with. Weeks later
things have not improved, and there continue to be problems reported
to bugtraq, and respective band-aids - but it is clear the ethereal
team does not care about security, as new protocols get added, and
nothing gets done about the many more holes that exist.

Maybe someone will at least privilege separate this one day, and then
the OpenBSD stance with respect to this may change.

Encouraging people to run broken software by distributing packages
with known security holes is not desired by any of us.

Re:Turn Off Remote Root

[oojah]

> check your auth.log for attacks (I get one every couple of days)

In a home environment I'd recommend moving your ssh server to a non-standard port. I did this a while back and have since had zero attempted ssh attacks. You can use the ~/.ssh/config file to remove the need to add the extra "-p 12345" option each time as well.

Cheers,

Roger

Re:Turn Off Remote Root

[Artana+Niveus+Corvum]

The problem I've personally found with this setup is that all someone has to do is guess your local user's password (or, God forbid, walk up to your computer while you're off in the bathroom or getting coffee when you've accidentally left yourself logged in... whoops). It seems unlikely maybe, but that doesn't negate the fact that it's happened to people that I know.

Re:Turn Off Remote Root

[macdaddy]

I know a security nut that simply stores his RSA keys on an encrypted thumb drive. Whenever he walks away from his computer he pulls the thumb drive. Slick. He plugs it back in when he returns and authenticates to decrypt his thumb drive file system.

Re:Turn Off Remote Root

[Artana+Niveus+Corvum]

now THAT... THAT is a fun idea. I think I might start doing that just so I'll always have a use for my thumb drive. =)

Wrong

[metamatic]

Good practice is to avoid running server tasks as root unless absolutely necessary, and there are all kinds of server admin tasks you might need to do, that don't need to involve becoming root. Database administration, for example.

Re:Wrong

Not to mention, by having individuals log in, and use sudo, you can track who did what, when. If everyone logs in as root, you have no idea who it really was. If they log in as themselves, and screw up, there's at least a good chance that it was them that did it.

Re:Wrong

Why are other people logging into my server?!? Have I been hacked?? It's my server, damnit, I'm the only one who gets to touch it!!! Tell those other assholes to stay logged out!

Sincerly,
Root

Re:Wrong

[foQ]

Mod parent up, please. Logging in as yourself provides both accountability and another layer of defense against hacking.

Re:Wrong

[Ash-Fox]

I can easilly use sudo and modify the logs to make it look like someone else did it, or whipe the logs out entirely.

Re:Wrong

[nagora]

and there are all kinds of server admin tasks you might need to do, that don't need to involve becoming root. Database administration, for example.

All normal database admin can be done with various programs that access the server remotely (by which I don't mean ssh!). Abnormal admin that requires actually logging into the server pretty well always requires root. The same goes for everything else.

It is true that the daemons should not RUN as root but by and large every one of them needs root to do anything drastic to their configuration or rescue data in the case of a crapped-out drive. For everything else there's SWAT, CUPS, phpadmin, even good old Webmin & co. All these use HTTP in one way or another and reduce the day-to-day need to login to zero.

There's just no need to be on your server unless you are root.

TWWW

Re:Wrong

The whole point of using sudo is to lock it down so people like YOU can't modify logs like that.

Re:Wrong

[stuff-n-things]

Having been both an Oracle and Oracle Applications DBA, and UNIX sysadmin, I disagree. Yes many tasks (monitoring, managing users, tables and tablespaces) can be done remotely. But upgrade tasks, particularly with the apps environment, cannot. It also difficult to deal with the so called 'concurrent manager' apps processes, which at one point needed to be killed entirely too often. Database (including executables) restoration can be done as the user owning the databases/software, after root or the OS restore process creates base directories and assigns ownership; backup can and IMO should be done by the database owner, too. None of these require root--although the apps upgrade is made easier by having a simple root shell script that runs other stuff as either the database owner or the application owner, since that is a back and forth between users for each step. Even that is only a convenience for a process that took 48 hours runtime on a 4 processor, 32GB RAM AIX system. The only tasks that I've needed root for are the initial software install, which requires kernel tuning on some platforms, user and directory creation, and startup/shutdown setup.

Re:Wrong

[kpharmer]

> All normal database admin can be done with various programs that access the server remotely (by which
> I don't mean ssh!). Abnormal admin that requires actually logging into the server pretty well always
> requires root. The same goes for everything else.

> There's just no need to be on your server unless you are root.

Hmmm, i've got to disagree. What database product are you thinking of?

I'm using db2 to manage a large data warehouse & set of reporting databases. DB2 is notorious for requiring root, but even here:
    - root is required to install or uninstall db2 or its fixpacks
    - root is required to run a few odd utilities

and that's it. Server admin can be run remotely by db2 java clients, but most suck as much as Oracle's OEM, etc. This is usually used by junior dbas with no unix skills. Limited server admin can also be performed remotely over command line. Limited.

So, most server actions are then performed locally by a dba without root or sudo:
        - start server
        - stop server
        - backup database
        - load table
        - check tablespace container allocations
        - add/remote containers (files, devices, file systems) from tablespaces
        - check memory utilization
        - check process utilization

I've seen a few organizations that refused to allow dbas to login to their database servers. On closer inspection I discovered that all databases that the organization supported were trivial: less than a 1 gbyte of content-management stuff, or 50 mbytes of transactional data. Needless to say I didn't move multiple terabytes of reporting data into their environment - to be at the whim of their untested theories on what a dba needs to do.

Re:Wrong

[Ash-Fox]

Ah, but then I wouldn't be able todo system administration. Make up your mind.

Re:Wrong

[dhasenan]

Why do you need to modify logs in the first place? The only reason I can think of is when a logfile contains sensitive information such as the root password. And that won't be happening often, if at all.

So when it does happen, the main administrator can modify his privileges to allow write access to that logfile. But it's serious and rare enough that log files should not be writeable by normal sudoers.

Re:Wrong

[metamatic]

Unfortunately, a lot of those remote admin programs have costs associated with them--like the security issues of running any kind of PHP script. Even webmin has had holes.

Then there are ports and firewalls, JDBC versions, having to match ODBC version with server version, and often having another set of IDs and passwords to deal with too.

On the whole I'd rather use the command line database client for admin via SSH than go through all the increased work necessary to provide secure remote database administration through some other means.

Re:Wrong

[Ash-Fox]

If I am a generic system admin, and if I wanted to be malicious, and remove my tracks after doing something. I a quite certain I wouldn't have a problem doing so via sudo.

I don't have to type in the log filename, location etc. todo it either. Heck, just having access to VIM under sudo is enough.

Re:Wrong

[Christopher+Cashell]

That's why in real productions shops, all machines log to a central loghost. Then you have additional security and accountability that isn't compromised with a single machine.

yes, use your powers for good

[steveprice]

Alias sudo to su, place the new su in their path first. When they figure it out, they've earned the right to use su! But by then they should be grown up enough to sudo.

Re:yes, use your powers for good

Spoken like a true BOFH

Textbooks

Well, if you ask the publishers/authors of The Linux+ Guide to Linux Certification (Second Edition), you should be running EVERYTHING as root. Doing ls? Root. Writing a little shell script that prints "HELLO WORLD" on the terminal? Root. Using X? Root. Surfing the web? Root.

Seriously, the authors of this book need to be shot. And so does CompTIA for endorsing it, but CompTIA sucks at everything anyway.

Audit trails

[DarkFyre]

Not only does sudo log what commands are executed, it tells you who executed them. This is useful even in day-to-day use when you do something silly. But in corporate environments, this is a necessity. If your company falls under the provisions of the Sarbanes-Oxley act, you are legally obliged to have this audit information.

I know it's convenient to log in as root, but convenience mixed with privilege mixed with production systems is going to lead to unhappiness in the long run. Suck it up and disable root logins (and configure sudo to prevent your lazy users from running shells).

Got Root - Need Root

[Ajehals]

(Disclaimer, its 3 am, I've just given up doing a code audit on the basis that I am too tired, so if this doesn't make sense, I am sorry, oh and don't take my advice or even think about relying it the following statement is as is, and comes with no warranty - would be first post but its taken me half an hour to write this.. :) )

When you are logged in as root you have unlimited access to all files, and it is possible to remove or modify a file that is vital to the system, this is generally not good, and often not required. If you set up a server securely you should be able to create accounts that have the access that you require to carry out specific tasks (still preferably using sudo, or su'ing to the relevant account), this is as much a common sense measure as pure security precaution.

You could argue that you can log in as root as long as you avoid using wild card designators when executing commands and keep track of your current working directory and try not to mess anything up, but there are a load good reasons to use sudo or su to root (or preferably an account specified for a task) instead, here are the ones I find most important:

Firstly you get some accounting, if Joe Bloggs su's to root and breaks / steals / misconfigure's something, at least you know it was Joe Bloggs (or someone using Joes account)

Secondly if you have remote access only as a non root user (this should be a given, never log in via ssh or webmin or whatever as root, (it can be a nightmare when you think your on system A but are on system B and do something you didn't mean to, never mind as root...) any attacker is going to have to find a non privileged account to gain access to a system, and then gain root privileges..

Thirdly if you have set up a number of administrative users for specific tasks you can compartmentalise your systems maintenance and you don't have to give someone you don't trust root access to carry out basic maintenance.

Lastly, the less you use your root account (directly or by whatever means) the less likely you are to break it. Lets be honest, I'd love to log in as root all the time, it would make life easier, but it would get rid of quite a few of the security benefits Linux/Unix brings and I'd probably break things more often. If you get used to using the root account you will continue to use it more and more until you find yourself logged in as root surfing the web whilst playing some bzflag beta just waiting for someone or something to break your box. (not to mention the hours you would spend making it possible to log in as root and use all your apps that are (probably) not going to like being run as root).

Personally when I set up a secure server I try to ensure that I have users with the relevant rights set up for specific tasks and no more and only issue those accounts to users who require them. I mount as many of the file systems as possible read only, I try to ensure I ship log files out to a box that no-one with root privileges on the first box has access to, and I automate as many of the maintenance tasks as possible. Oh and I don't use sudo, and on hyper critical servers the full root password is known to no one, I have half my oppo has the other half, and never the two shall meet (although this causes inconvenience when you do need it...!!)

This prevents foul ups and gives you a security baseline.

Oh and if you do log in as root make sure its not ever into a Desktop Environment (or any complex environment really) because there are just too many apps executing as root at that point to keep track of properly, and way too many potential security vulnerabilities...

Re:Got Root - Need Root

[lengau]

When you are logged in as root you have unlimited access to all files, and it is possible to remove or modify a file that is vital to the system, this is generally not good, and often not required.

What are you talking about? When has anybody eveer needed /vmlinuz?

Re:Got Root - Need Root

[fimbulvetr]

What are you talking about? When has anybody eveer needed /vmlinuz?

As a matter of fact, no. I find grub's command line to be quite accomodating and featureful. When I don't have vmlinuz, I can just append .old onto vmlinuz. What? Someone that doesn't use debian? Pfft, they deserve it.

Re:Got Root - Need Root

[Ash-Fox]

sudo doesn't help much with people who do 'sudo /usr/bin/bash'.

Anyome who has access to rm, can easilly craft a command that deletes the log file.

(Yes, I know you can restrict access to it, the problem is, people will still try to get a terminal anyway they can.)

If you want to stop such issues, don't give them access at all.

Re:Got Root - Need Root

[lengau]

I was just choosing [Generic file that is quite often mandatory]. I know that it's not ALWAYS necessary, but there's absolutely nothing that's always necessary.

I have root, and love it

[Gothmolly]

I wrangled root for the ~7 servers that I'm directly responsible for, and use it all the time. The first thing that I do was re-enable direct root login. Now, the sudo fanboys and "best practice" fags out there will cry about this. But try running a redirected X session after you've lost all your X authentication info, because you're at least 1 'su' deep.

I run my APPS as non-root, because I don't want an unattended session or process barfing all over the place, or filling a FS, or offering a remote hole to someone and providing the keys to the kingdom.

but day to day stuff, tailling log files, etc.? Root is the only way to go.

Re:I have root, and love it

[run4ever79]

Looking at log files! A group policy can accomplish this without giving someone the keys to the kingdom. The OP was about allowing coworkers to have root access. You might not do anything deleterous yourself, but one of them might and *gasp* set you up to go down for it.

Re:I have root, and love it

1) What real unix admin needs anything more than a shell?

2) If you want to be root all the time, just stick to Windows.

3) There is no *good* reason to su or login as root. sudo is everything you need - set your systems up right and get over it. Sticking to root is just being LAZY.

Re:I have root, and love it

[atriusofbricia]

Wow, I'm glad you're not on any box I have authority over. Your account would be locked within the hour. Besides, if you can't figure out how to get a redirected X session working having su'ed, do you really need root? Given that disabling direct root login is pretty much the first step done in securing any box, and pretty much everyone in the world agrees with that... Maybe you're the one that's wrong.

On the other hand.. maybe you're trying to be funny. God I hope so.

Re:I have root, and love it

[fimbulvetr]

But try running a redirected X session after you've lost all your X authentication info, because you're at least 1 'su' deep.

Is it possible that real sysadmins perhaps understand the underlying mechanisms of xforwarding and set the oh-so-hard-to-research XAUTHORITY variable? Wait? It's documented? I never saw that in my Redhat Users guide!!!

Sometimes, though it might be difficult for you to understand, it might help to RTFM. Guess that's the difference between sysadmins and wannabe admins. Sysadmins occasionally RTFM, with the possibility that they even might understand how commands work.

Re:I have root, and love it

[SillyNickName4me]

Not everyone in the world agrees.

When using su, you have to type the root password and it is being sent over the network. Encrypted, sure, but more vulnerable to time analysis then a RSA/DSA key used to directly access the root account.

Not the right response

This probably isn't the response you're looking for, but if you can't trust the people to login with root, don't give them the sudo command. If you trust them with root, then stop worrying about remote logins, as long as you don't allow telnet/ftp or any other network login with a non-encrypted password stream.

If you don't trust your users, then you want to see what they execute as root and keep logs...which is downright silly to me. I guess if you have an environment that must be VERY secure and have audits on everything...such as systems that do financial transactions, then auditing/limited root commands with sudo is a great idea. But if you have sysadmins and you don't trust them getting on the general boxes as root, then you better not give them sudo.

Thats just my take on it. I personally login as root on all of my linux installs and find it silly to install a desktop and login as non-root. Yea yea, I know...lots of flames here on top security and what-not, but I could care less about security on my desktop system. I'd like to hear of cases where someone logged in remotely using ssh as root, and it caused a problem that couldn't have occurred with an unrestricted SUDO setup (note that I said unrestricted). SUDO, in my opinion, creates a lot of hidden security holes. When you give people SUDO rights, you better know damn well what each program they execute does inside out. For instance, vi can execute a shell. So can more or less. the IFS can be changed on many operating system to cause a program which has root privilges to changes things like system("/usr/bin/echo") to system("usr bin echo")...meaning if the program "usr" is in the path, it would get executed as root, allow a shell to be created. So SUDO is a very bad thing if you haven't reviewed the source code of every program you allow to be executed with sudo.

Using Root.

[run4ever79]

There is an expression that goes way back, "The amount of time that you spend logged in as root is inversely proportional to your competence as an admin." Once a machine is configured, there are only a small number of legitimate reasons to login as root, and nearly all of these can be more safely done using sudo as others have mentioned. For a good treatment of this see: http://www.theregister.co.uk/2006/02/24/bofh_2006_ episode_8/ . Also as previously mentioned root should _NEVER_ be able to login remotely. You might as well set up your DNS to name your box pleasehackme.domain.com. (Although you can rename the super-user account, which can be tricky to do right).

Re:Using Root.

[MichaelSmith]

Although you can rename the super-user account, which can be tricky to do right

The sysadmin at work did it for me on my workstation just by duplicating the first line of /etc/passwd and changing the username to my-root

Re:Using Root.

[fimbulvetr]

He who plays with root, will soon kill tree.

Someone other than me deserves credit for this oh-so-true statement.

Been using sudo since forever..

[Agilo]

I've been using a user account and "sudo" since my learning days (some years ago) and I feel it's very good practice.
I "su" only when I actually need to (not that often, mainly when I do a lot of maintenance i.e. kernel upgrades and the likes) which is, in my opinion, the way people should be doing it.

Regulatory compliance in general

[Beryllium+Sphere(tm)]

>under the provisions of the Sarbanes-Oxley act, you are legally obliged to have this audit information.

REAL important point. It's not just SOX. Under HIPAA, I seem to remember that shared accounts are illegal. You may also be subject to some contractual restrictions, like VISA's PCI or CISP or whatever they call it this year. That may also decree "no shared accounts".

>configure sudo to prevent your lazy users from running shells

which is of course good advice but gets interesting pretty fast when you think of all the programs that have shell escapes. Not completely impossible, though, and it shouldn't be hard to find example /etc/sudoers configurations.

Re:Regulatory compliance in general

>configure sudo to prevent your lazy users from running shells

which is of course good advice but gets interesting pretty fast when you think of all the programs that have shell escapes. Not completely impossible, though, and it shouldn't be hard to find example /etc/sudoers configurations.

There is a sudoers option called noexec that prevents this. You would turn off the shell escapes, then make a whitelist with the EXEC tag for commands that are allowed to escape.

Defaults noexec
user host = (privileged_user) EXEC: /usr/bin/vi

Depends...

[SanityInAnarchy]

If your system is mostly stable, and you'd mostly be running a bunch of scripts from root anyway, then you might like sudo. It'll give you the logging, and if the scripts are secure, you aren't actually giving up root.

However, most of what I do, I don't currently have such scripts. They wouldn't be hard to write, but I'd have to keep updating them, and there's too much that I constantly like to tweak. Thus, while I stay a normal user most of the time, I use root for admin stuff.

That said, I have started to drop privelages for certain things. For instance, a "webmaster" account to manage the webserver, along with per-site user accounts, just makes sense.

But again, that depends on your situation. Do you have a lot of highly specialized admins, or a few damn good general ones? If your admins are specialized, there's no reason the web admin needs access to the mail system, or vice versa, and neither should get root. If your admins are generalized, sudo (or user accounts) will probably just end up getting in their way.

Take a good, hard look at your own situation and decide for yourself whether sudo makes sense for you.

Sudo for me

[ClamIAm]

Mostly because I use Ubuntu and still suck enough at unix to not care.

depends on your setup

[bonezed]

at work I log into our dev servers mostly as root

but anything open to the public does not permit root login, plus has other restrictions in place

rm -f

[Spazmania]

Ever done an "rm -f file. *"? Yes, that's a space in there after the dot. Added by a mistaken reflex. Oops.

Do that as a normal user account and its bad. Do that as root... Well, do you wanna spend the rest of the day rebuilding the machine?

Now, on the sudo vs. su argument I personally favor su. When you have to explore a problem with the service down until its fixed you don't want anything slowing you down. Try something as simple as "sudo ls /var/spool/mqueue/q*". Doesn't work. It tries to expand the wildcard as your normal user account which doesn't have access to the directory. It just makes more sense to su and then go exploring.

But you don't do that in every window; you only do it in the windows where you're intentionally performing systems administration functions.

Re:rm -f

[nwanua]

You know the funny thing about the rm -f thing? These days, it does more harm when I'm logged in as myself than when logged in as root:

When I sudo into root, I am typically in some sub-directory (ie. /usr/local, /etc, or /var). A badly written rm -f removes parts of my system sure, but my home folder is usually unnaffected. An hour tops to restore stuff.

However, if I were to make the same mistake any in my home tree (which is where I normally am when not sudo or root), I've lost a crapload of hours of personal work.

So for personal machines (and a lot of us are running our own personal unixen these days), I'd argue that one is more likely to actually do some real damage (albeit to your stuff) as a regular user than as root (or sudo)

Just a thought....

Re:rm -f

[pintpusher]

I have to admit it. I've done it just like this

rm -rf /etc[space]/cups(or whatever it was)

as root. yup. so about 10 seconds later I see it but its too late. all of /etc is GONE.

oh well. its only time.

sudo means no password sharing

[shift]

I hate coming into a place and finding out that passwords for accounts like root are shared. Its also a real pain when someone leaves the company. Where I work, we've basically tossed out the root password and grant access with sudo. We just have to disable accounts when someone leaves and not scramble to change a password then make sure every who needs to know is notified.

Sudo, Generally, But ..

[hbo]

I use sudo routinely, for many of the great reasons outlined above. But how do you do egrep '^From: Postmaster' /var/spool/mqueue/qf*" with sudo?

You don't. Globbing is broken because the shell does it before sudo is run. This gets around the problem:

sudo "sh -c '(cd /var/spool/mqueue;egrep ^From:\ Postmaster qf*)'"

That works, but it's ugly, and I have to be able to invoke the shell with sudo in the first place.

I/O redirection is similarly broken. sudo grep root ~/cron_jobs >> /etc/crontab will fail because your shell will do the I/O redirection, not the sudo enabled grep. This works:

grep root ~/cron_jobs | sudo tee -a /etc/crontab >dev/null

This time, tee is the one appending the output, not the shell.

I use these workarounds with sudo quite a lot. It seems I need the latter more often than the former. But I stick with sudo regardless, for the shell environment consistency, and the ability to go back and see what I did wrong 12 hours after the 36 hour hacking session ended.

Re:Sudo, Generally, But ..

[shish]

But how do you do egrep '^From: Postmaster' /var/spool/mqueue/qf*" with sudo?

sudo -s
egrep '^From: Postmaster' /var/spool/mqueue/qf*
Ctrl-D

All the power of a root shell is still there, it's just easier to not use it~

Re:Sudo, Generally, But ..

[hbo]

What happens to your audit trail between sudo -s and Ctrl-D?

It's gone, as far as sudo is concerned. The contortions I describe, while a bit hard on the fingers, maintain the automatic record sudo makes of my rootly actions.

Re:Sudo, Generally, But ..

[Quixotic+Raindrop]

one quick and dirty attempt:

#!/usr/bin/perl -w
use strict;

opendir(QUEUE, "/var/spool/mqueue") or die "Can't open mqueue for reading: $!";
while (defined(my $file = readdir(QUEUE))) {

next unless $file =~ /qf.*/;
open (IN, $file);
while (<IN>) {

if ($_ =~ /^From:\S+Postmaster/) { print chomp($_). "\n\n"; }

}

}

save as "from_postmaster" or something. run 'that' as sudo. Tweak accordingly. (I'm not absolutely sure it will work as written, but it should come pretty close, and is just an example anyway).

more On-topic ... personally, I usually su - for anything that's not a quick-and-dirty hax0r like this one; but it's a waste of time, personally, to su - for silly maintenance tasks. I do it three or four times, get fed up with the tedium of it, write a script like this, and add it to sudoers. After running it a few times and knowing that it works, then forgetting to run it a few times, I usually tweak it, test it, add it to root's crontab, and have it leave a log file.

Lazy and impatient.

Re:Sudo, Generally, But ..

[BerkeleyDude]

Is there a similar workaround for X forwarding? (Short of manually setting $XAUTHORITY, etc.)

With "su -", it just works. With "sudo" - it doesn't, and I don't see any options to turn it on.

Re:Sudo, Generally, But ..

Wow, I've never seen a more direct and immediate example of Perl Syndrome--hack together a 10 line script to do what the shell does trivially in one line. 'Lazy' and 'Impatient' my arse.

Re:Sudo, Generally, But ..

[Quixotic+Raindrop]

Except that, my version you can run sudo. :)

root vs. sudo

[ravenoak]

IMHO, root should be limited to login on an actual tty (with a very secure password, nothing less than 13 characters, alpha-numeric with special characters) and use sudo for everything else. Like a lot of other people have said, sudo is rather powerful. Using sudo enables you to limit the commands that a user can run as root, including creating several groups of users that can run different sets of commands, and leaves an audit trail. Granted, all of that might be over-kill for a one-person operation at home (any sort of critical environment should use sudo to it's fullest, and business == critical), but I still use sudo for my personal machines because I believe it to be good practice, I just don't use all of sudo's functionality.

Why do they have root?

[NNKK]

If they're not a sysadmin, they don't need the root password. They probably don't need sudo, either. If they have the former, your internal policies are broken. If they have the latter, you better be damn sure of why. sudo is far from foolproof. It's almost exactly like making select binaries suid root and available only to a specific group, except that it's more convenient (good), and introduces an extra suid root binary that could have a security bug (bad).

If they are a sysadmin, and we're talking production servers, they're either qualified to decide what's best for their particular situation, in which case you really don't need to be questioning them (if their judgement isn't trustworthy, what the HELL are they doing in a sysadmin position?) and you're just wasting everyone's time, or they're just generally incompetent, in which case either the IT department will eventually be taken over by someone competent and the house will be cleaned, or the company will die a slow and painful death. Either way, it's all pretty moot.

Make sure your resume is up-to-date.

Root is tempting

[SlappyBastard]

But you have to fight Satan and accept that some practices are for the better. For me, root was more bad habit from tinkering with Linux before delving into servers as a real world business. Especially when you're learning on your own, anything but root feels like being in a full body cast. But, once you learn and grow up with it as a business, you recognize that it's just poor practice to have root access sitting there begging you (and others) to cause havok. Look at it this way: how beautiful would the world be if we could restrict Windows users as easily?

It comes down to experience...

[ZackStone]

I have 12+ years of *nix admin experience. During these years I worked together with many administrators of various experience levels. If I can note one correlation it would be that those lacking in admin experience tend to log in as root more often (if not always). One reason is out of an unconscious fear that something won't work and they won't be able to figure out what.

Many of the above posts advocating root login/root all the time seem to display similar characteristics. The real question is whether there is both a 10+ year and an experienced sysadmin out there who logs in as root all the time? Chances are give enough time and experience one will learn one way or another all the many reasons why all root all the time may not such a good idea?

PS. One more question for the road? How may out there are brave enough to do "rm -rf *" (even after a pwd) as root?

Re:It comes down to experience...

I have been a sysadmin for more than twenty years, and still mostly use root. I see the point of sudo, but if I'm trying to figure something out, it's a hassle not to be able to "cd" because "sudo" runs commands in a subshell so a "cd" doesn't have any effect on subsequent commands so I have to type full pathnames for the logfile I'm tailing or whatever (and running a shell from sudo defeats the purpose!). Anyway, I don't use root unless I really need to. And I do type "rm -rf *", but rarely, only after doing "pwd", and even then stare at it for a minute before hitting enter.

Re:It comes down to experience...

[r00t]

You can have more than one login at the same time. You can change the window appearance to mark one of them as being special. Pick a font, text color, background color, title bar name...

Log in as a regular user too, first, so you won't be tempted to abuse the root login. Log in several times as the regular user, as needed to ensure that at least one will always be at a command prompt.

As for "rm -rf *", I'd never do it because it's a silly command. It would leave you in an empty directory. Go up a level first, then use the directory name.

Re:It comes down to experience...

[jmorris42]

> I'd never run that command. I'd 'cd' to the level above and then use 'rm -rf dirname'.

Just because you have never needed to erase the contents of a directory while leaving the dir itself is no reason to assume nobody ever needs to do it.

Consider the case of building RPM packages. After you are done you routinely clean out the stuff in the SPECS, SOURCES and BUILD directories but you need to leave the top levels intact.

Yes you would probably delete them all with one command from the common ~/rpmbuild directory but it serves as the trivial example to call your overly broad statement into question.

Re:It comes down to experience...

[ZackStone]

I think the spirit of his statement (i.e. cd up and then delete the folder) shows then tendancy to avoid "Kleene star (*)" whenever possible in an attemt to minimize ambiguity while executing a potentially destructive command. Since by it's very nature * matches as much as possible I'd always prefer to manually type what needs to be removed rather then taking a chance I overlooked something (which is very likely at 4AM).

Re:It comes down to experience...

[cloudmaster]

cd /usr/src/RPM
rm -rf {SPECS,SOURCES,BUILD}/{.??*,*}

You'll get a few STDERR warnings about stuff not existing, but it'll work just fine. And it doesn't require a bare star. :)

In general, rm -rf dirname/* dirname/.??* (or possibly dirname/{*,.??*} if you really like the Bourne list expansion version) will do what you need. Wrap it in a shell script if you do it all the time...

sudo

[yagu]

I am the ONLY administrator, and mostly the only user of all and any of my machines and for various reasons I do virtually all root activity via sudo.

When I began building a home network (mostly by collecting odds and ends of old computers and connecting them) and built them up with linux I found myself automatically using sudo because that was the way I did it at work. And I found reasons that made sense in a work environment also resonated at home even in a one-user universe.

Auditability was reason number one for sudo at work. There was a lot of trust and there were more than one or two who had full sudo priveleges but it was handy to know who was using sudo, when, and what for. At home auditability is less an issue since it's virtually singular I'm the poser. But it is still nice to see the track of activity in syslog when you start wondering, "Did I really do that crazy thing thats f***ed up the system?"

And, just plain pragmatism was the second reason for sudo. IM(NSH)O I'm a pretty darned good admin, and know the ins and outs of all Unix flavors and can be as aware and cautious as the next person. But it only takes once as root to do something really stupid before counting to 10ms. I would rather have a command NOT do something when I inadvertantly forget to sudo a command than inadvertantly do something because I issued the command as root.

Nuff said.

Depends on what I'm doing

[miyako]

IANASA (I am not a system administrator), but on my own boxes I tend to use sudo if the task I'm doing only involves a few steps. If I'm doing something that requires more than 4 or 5 commands, then I tend to su -

sudo is all wrong

[r00t]

Sudo adds complexity where you least want to have it. A config file that you can mess up? No thanks.

Plain old su works well. It leaves a log, via the shell history file. You can adjust the history file size if needed. If you want a secure and uneditable log, neither will do. Breaking out of sudo is easy; normal command-line software is not designed to keep you in the setuid-like environment that sudo provides. Regular old apps will have buffer overflows, which are not considered security holes... until you go making the apps setuid or - equivalently - letting them be run via sudo.

If you'd be tempted to leave yourself su to root, first open a second window. Now you have one window for root-only stuff, and one window for everything else. Change the font or color or window title if you need help remembering.

Re:sudo is all wrong

You stil have root if you screw up the file.

It is not complicated.

If you think it is Unix Admin isn't your thing.

Re:sudo is all wrong

[WilliamSChips]

Not if you're on Ubuntu and using sudo to reach the editor for sudoers, and you make a typo that prevents you from getting root. Then you're screwed if you don't have Knoppix.

Re:sudo is all wrong

You should use visudo rather than editing the file directly. It will warn you if the syntax is incorrect, and not install the new sudoers file. Now if you somehow remove your acces to the sudoers file, that's a whole different issue I guess. Are you sure Unix Admin is for you?

Re:sudo is all wrong

[JohnnyComeLately]

I'd say mad props using SUDO at home. I'd have to say the people who are against it really don't admin that many boxes or have that many users. Security is best in layers and a breach is "not IF, it's WHEN and HOW BAD". Got Root Kit? Home use of SUDO is a bit extreme, but I'd stil say it's useful because it keeps you disciplined and sharp (because you know how to apply it at work, or wherever else it can come in handy). Hence, I'd support it. Me? I'm lazy. Ive got my Sun servers at home (Solaris in a few flavors) not allowing root to login remotely, and then I su. I figure if someone can get past my security, I'm 0wn3d and have fun...

At least one exception

[Theatetus]

I can think of two exceptions: never ever run vipw or visudo through sudo. Always run it through su, log in separately and test that the change you made does what you want it to, then log out of your su shell. I can't tell you how many thousands of dollars I've charged my hosting clients to undo a passwd or sudoers change they made using sudo and screwed up.

Re:At least one exception

[fimbulvetr]

Ummm...

If you use visudo, it does the _exact_ same checks as sudo does to the sudoers files before it allows you to write the file. Check the code.

If someone's telling you that they used visudo to edit the file, then saved, then tried to run sudo and it failed because of an error it /etc/sudoers, they're either fibbing or you should report a bug.

Re:At least one exception

[makomk]

If you use visudo, it does the _exact_ same checks as sudo does to the sudoers files before it allows you to write the file. Check the code.

Though visudo catches actual syntax errors (or at least ones that sudo spots), presumably there's nothing stopping you accidentally making some syntatically-valid change that locks you out of using sudo... or even (in theory) a syntactically-invalid change that visudo and sudo both accept for some reason.

Re:At least one exception

[Theatetus]

If someone's telling you that they used visudo to edit the file, then saved, then tried to run sudo and it failed because of an error it /etc/sudoers, they're either fibbing or you should report a bug.

Umm... no. There's nothing invalid about taking the account you can log in as out of the wheel group (OK, that would be gpasswd, which is a 3rd one never to use sudo for), or removing sudo privileges from your own account, or removing sudo privileges from the group you're in. Or removing sudo privileges for one of the commands your account needs to edit passwd or sudoers. Note that OpenBSD effectively forbids running visudo through sudo and requires an interactive login, since /etc/sudoers' permissions must be 600 for sudo to run. This in my opinion is the Right Thing.

the second xterm

[r00t]

That's the right way to do things, provided that you always keep a few available non-root xterms on the desktop as well. (open the non-root ones first, so you won't be tempted to waste the root one for just looking around and reading man pages)

Uhhh... red-on black though? Color change is a good idea, but that's a bit unreadable. Try pink-on-black or white-on-darkred if you have an LCD. If you have a CRT, swap the foreground and background colors.

rm -i

I want rm to use -i by default (alias rm='rm -i') for safety

I used to do that. I don't anymore.

I found that I got too used to the safety factor; and then I would be doing something on a different computer than my own, and the -i would not be there, and I might delete a file or two I didn't intend.

What I do now:

alias r="rm -i"

Then I use "r foo" to remove file foo, and it gives me the interactive prompt.

And then, on another computer, if I unthinkingly type "r foo" it says "r: command not found", and it's simple enough to type "rm !*" or "rm -i !*" as appropriate.

Who needs sudo?

[RoadWarriorX]

echo "Who needs sudo? Well, I am not too sure." >> message.txt
echo "It's not like someone can do something that harmful." >> message.txt
echo "Maybe it's just an overreaction. It's not like I am doing" >> message.txt
rm -rf *.* >> message.txt



Oh crap.

Nah, viruses don't need root

[r00t]

Think about what a virus does these days, remembering that few machines are truly serving multiple people.

• It wants a network connection. Normally, every user has access to that.
• It wants your email client config. As root, it would need to do more searching to find this.
• Supposing you use SE Linux, it wants your SE Linux privs. Perhaps root has been restricted.
• It wants a place to store itself: ~/.something-that-looks-legit
• It wants a way to activate itself: GNOME session startup files, .bashrc, .bash_profile, cron job

So far, I've only found one moderately-useful thing restricted to root: the SYN-flood DoS attack. That's no big deal.

A virus certainly doesn't need to patch the kernel or write to /bin. Those are cool tricks of course, but they don't gain any significant resources and aren't necessary for hiding from normal people.

LEARN FROM EXAMPLE!

Let me tell you a story about an admin who had the habit of logging in at the console of a server as root. And running then-hot SunWindows package. Worked like this all day long. In some windows would su to their own account to check email.

Now one day this admin was in the WRONG WINDOW when typing rm -rf *

The remaining hours of that day/night were spent retrieving files from 9-track backup tape.

Yes that was me about 1989, on the console of a Sun 3/160 server with SunOS.

I am still a sysadmin, but never again do I login as root as a matter of course.

Brave enough?

[RobiOne]

Heh, how many are brave enough to have this alias: d='\rm -rf' and use it in all your accounts?

Think. Then Act. No Problem.

It sounds like you are not really using sudo

[Error27]

It sounds like you can't really articulate a need for sudo but you're just doing it because you read about it. Sudo isn't magically better if you don't use the features.

Also it annoys me that sudo seems to have a lot of security bugs. It had 3 local exploits last year... That doesn't affect whether you should use it or not because you obviously should, I'm just saying that it annoys me.

Sudo's intended use

[RomulusNR]

Sudo's main benefit IMO is to keep unattended terminals and non-password-based attacks from being no-brainer vectors to root. It's not to make it a pain for you to have to type a password just to run root commands; its to make it so that the user is able to run certain root commands and making extra sure before doing so that it is really that user running them (not a hijacked terminal, etc.)

The other benefit is that it allows you to pick and choose who needs access to what root privileges. Junior data center tech A doesn't need access to fsck(), but maybe needs to be able to mount /dev/sdc. (OK, poor example.)

Sudo isn't IMO the solution for all admins, though; extensive admin work quite necessarily can be done with su to root instead. Sudo allows you to keep the root password on a tight leash -- preferably to those who can be responsible with their sessions as well as with root powers.

My two cents on sudo

[xmas2003]

3 categories of admins.

1. Admins who don't have a clue and don't know about sudo so they just login as root. However, if you tell them to use sudo, they are mallable enough that they will listen and do so.

2. Admins who haven't been around a while, but think they know a lot, and therefore insist that sudo is OK for them for a variety of reasons. These folks often won't listen to 'ya. Dangerous!

3. Admins who have been around for a while and insist on using sudo. If you bring 'em into a new environment, it's the first thing they will install if it doesn't exist. They realize it's a good thing and want to have everything they have done logged ... plus all the other reasons enumerated elsewhere.

BTW, Todd Miller has graciousely maintained sudo for years - consider tossing him a few dollars to continue working on it.

root or root not; there is no try

[Tumbleweed]

Look, if you're too much of a pussy about using root because you might screw something up, you shouldn't have the root password anyway, should you. *pbbt* :)

Logging Who's On.

[Stephen+Samuel]

If you've got a half dozen (or dozens of) people who have root login, and something goes on, all you have with a quick look at the log is that someone logged in at 4:15 pm and the system choked at 4:18.

If you force people to login as themselves and then SU (or sudo), then you know who was on the system with root when the system snarked ( And, if they use sudo instead of su, you can even have logs of the commands they used) -- it cuts down on the number of people you have to interview in the rush to figure out what broke the system.

Then, there's also the fact that if someone tricks you into doing something 'bad', it's less likely to catch you flatfooted as root if the only commands you exeute as 'root' are the ones that really need root.

As a last point: If you disable root logins (especially remote root logins), then a hacker needs to hunt down two passwords to get root access -- one for remote access and the other to get root.

Security isn't about making it impossible for an intruder to get in -- It's about making it hard enough that an attacker gives up and goes away -- even if they just go find an easier target (hi bill!).

Audit trail

[horatio]

In addition to the things the parent mentioned about privilege seperaration and permissions, sudo (if configured correctly) gives you an audit trail of what was done by whom and when. If someone fscks the database server, you'll know exactly who to beatdown and where to look for a restore point in your backups.

Apr 16 01:30:30 karma sudo: joeuser : TTY=pts/0 ; PWD=/home/joeuser ; USER=root ; COMMAND=/usr/bin/tail /var/log/auth.log

It will also let you know if someone is trying to do something you haven't authorized for them in the sudoers file.

On systems where I'm the only user, I almost always use a non-root account to do normal tasks. sudo lets me elevate privileges for the command I need to, ie

$ apt-get install reallycoolwidget

, and then drops back down so I don't forget to exit myself. sudo (generally) does not require you to retype your password for every command, there is a timer. If you're dumb|busy enough to walk away and leave your terminal unlocked, after a few minutes the next sudo attempt will ask for your password again.

One thing to remember, use visudo, not vi /etc/sudoers. The syntax check will likely save your ass one day.

Re:Audit trail

[dascandy]

> One thing to remember, use visudo, not vi /etc/sudoers. The syntax check will likely save your ass one day.

That command is discriminating against the Emacs-people. Why did the sudo people make a visudo and no emacssudo?

Re:Audit trail

[Russellkhan]

Maybe you're trying to be funny (it's hard to tell tone in text) but visudo calls the editor you've specified in your environment variables ($VISUAL or $EDITOR). If it's the name you're objecting to, make an alias.

Re:Audit trail

[makomk]

Maybe you're trying to be funny (it's hard to tell tone in text) but visudo calls the editor you've specified in your environment variables ($VISUAL or $EDITOR). If it's the name you're objecting to, make an alias.

Not exactly. From the visudo man page:

There is a hard-coded list of editors that visudo will use set at compile-time that may be overridden via the editor sudoers Default variable. This list defaults to the path to vi(1) on your system, as determined by the configure script. Normally, visudo does not honor the VISUAL or EDITOR environment variables unless they contain an editor in the aforementioned editors list. However, if visudo is configured with the --with-enveditor flag or the enveditor Default variable is set in sudoers, visudo will use any the editor defines by VISUAL or EDITOR.

I'm not sure what the point of that as a security restriction is - surely if you can edit the sudoers file, you can just give yourself permission to execute whatever command you want anyway?

Re:Audit trail

[TilJ]

If you're serious about the auditing functionality, you need more than just sudo.

Doug Hanks, a SAGE member, started with sudosh (http://sourceforge.net/projects/sudosh/) and now has released Enterprise Audit Shell (EAS). There's a very basic web page and PDF at http://download.strchr.net/, as well as a nice graphic explaining how it works (http://download.strchr.net/eas-layout.png).

Copying from the text of the email announcement a few weeks ago, the list of improvements over Sudosh includes:

* Conforms to COBiT
* Utilized ITIL best practices
* Enterprise-view of UNIX access
* Enterprise-level audit reporting tools for Sarbanes-Oxley
* Customizable audit reports via CSS
* Embedded transactional, ACID-compliant SQL92 relational database
* Load balancing
* Disaster recovery
* SSL encryption
* SSL Public Key Infrastructure authentication
* Audit file transfers and remote command execution when used as a login shell
* Configurable default shels
* Audit logs are digitally signed for integrity
* Client and server configuration files for easy management
* Idle session timeout
* Display corporate policy before eash session

It looks like a serious auditing tool for serious Unix shops.

For simpler needs there's also Kerberos `ksu` as a replacement for sudo, for shops that have already solved their centralized authentication.

if you're in an X session

[subtropolis]

# ~/.bashrc
alias su="xterm -fg white -bg darkred -e su"

SuDo? never..

[Jaqui]

the current trend is to destroy the core of a multiuser system by disabling root and using sudo for all admin activities.
My resonse to this:

You install a no root distro as server and workstation os [ Ubuntu is an example ] and use nis for login control, now every single user in the network has admin access to everything. way to go, you just destroyed the security of the network, your end users can delete software, install software, change network configuration, AT WILL.

stupidest thing to do is to disable root.

second stupidest thing is to use sudo for all admin activities.

Far better to have a limited pool of people who can login as root to do admin, that forces them to look at what needs to be done BEFORE doing anything.

Re:SuDo? never..

[Fizzl]

Uh what? Who would do such thing? I think you have entirely missed the point of the article AND sudo.

I was contemplating for 30 seconds how to moderate, but the scarcity of options just isn't flexible enough for "Wow, you're a clueless asshat!"

Re:SuDo? never..

[Russellkhan]

Among the many things wrong in your post, let me point out that disabling root does not imply giving all users full sudo access. In Ubuntu, your example distro, only the first user created has sudo privileges, unless they are specifically added to another account.

root logins

[solid_liq]

I just have to say this, since no one else has.

For anyone who argues that an attacker could just crack the root password once remotely logged in as a regular user "and probably with a faster machine than they have anyway," the most important reason this argument is false is because a person cannot do a distributed brute force password attack coming from millions of hostage Windows systems with about as many unique IP addresses on the root account if remote root logins are disabled. Never ever ever allow remote root logins!!! I don't know if the person who asked this question was referring to remote logins, but this applies to everyone, so I had to say it for anyone unaware of this attack.

Oh, and that reminds me that I need to find out if the distributed computing project for Linux, cpushare, has any safeguards against people wishing to use it for a purpose such as this.

Comment removed

[account_deleted]

Comment removed based on user account deletion

For all the su holdouts. $sudo sh

[mindKMST]

I like to disable root login on my boxes. Sometimes you need to do a lot as root and sudo gets in the way. The only thing you should be using su for is to run as non-root user and you probably shouldn't be doing that unless you own the account.

Needs to be properly setup

[drsmithy]

Sudo only delivers real benefits if it is properly setup. That is, an /etc/sudoers that restricts which users (or groups) can run which commands, on which machines, etc, etc.

If your /etc/sudoers is only a few lines long and basically does (and is used for) little more than allow users X, Y and Z get a root shell, then there's really little point to using it at all and you may as well just save the annoyance of having to run 'sudo bash', 'sudo su', 'sudo -i' - or whatever other incantation you use to get a root shell - and let people use root all the time.

Sudo can backfire

[dasheiff]

On my home machine if I need to be root I'll su and when i'm done logout of root. The reason is that it is an extra layer of security, an extra passwd. If some snoops my normal account passwd while sshing in, hopefully, they won't then have the root passwd and if my normal account has full sudo privliges they might as well have gotten the root passwd.

Never give developers root ...

[dustpuppy]

In my experience as a dedicated sysadmin working for a huge multinational, every time developers are allowed to have root access to a system, they produce the crappiest application code ever.

Applications that *require* root access to even run and require sub-apps to be root as well. They are slowly getting better (but only because in the last few years we've enforced a policy of no root access to developers).

IMHO, root access encourages sloppy behaviour (in both developers and sysadmins) and it becomes an essential crutch rather than an 'only as needed' facility. With the focus on security, and the requirement to participate in regular security audits (SOX anyway?), it simply suicide to give developers root access.

Re:Never give developers root ...

What, you dont like seeing entire directories recursively chmod'd to 777 ? It's a surefire sign that a developer had access at some point in time.

Security of a normal Account

[LABarr]

I read all the previous posts to this discussion and recalled another glaring obvious reason why you should use sudo vs. root logins. No one has brought this up yet, but when you step away from your desk for that quick trip to the john, and then get snagged for that impromtu 20 minute meeting in the hall, away from your desk the whole time, and you leave a root terminal open on your computer, you really are just asking for trouble. Remember that the largest percentage of security breaches occur from within, not outside the company. At least when you use sudo (as is almost always considered best-practice) from your normal user account, you aren't leaving the door totally wide open when you are away from your desk. Sure, I know all about locking your your display, (which I personally do) even automatically via a screensaver, but the again I have also seen a lot of scary simple root passwords as well. Sloppy habits make sloppy admin'ing. I admin my personal servers as well as any for anyone else via sudo. Another vote soundly in the sudo column.

Sudo and the less voodoo you do to whom?

___
Simulated sig.

If you're using Solaris 10, check these out...

• Enforcing the Two-Person Rule Via Role-Based Access Control in the Solaris 10 Operating System
  
  
• The Least-Privilege Model in Solaris
  
  
• Zones Partioning Technology
  
  
• More info
  
  

Sudo weakens security

[jurgen]

The main problem with sudo is that it weakens security.

It seems that this is surprising to a lot of people because nobody has mentioned this, and people have mentioned that you should never allow remote root logins, yadda, yadda.

Actually there is no problem with remote root logins via ssh and public key authentication... just don't use/allow passwords. I'm continually amazed by how few people understand this, especially considering that practically everyone and their dog already uses ssh for everything anyway (except they use it as though it was telnet... doh!). Ssh is the best thing that ever happened to Unix security, but 99% of people, including sysadmins it appears, use only 1% of its power because they do not understand public key authentication. But I digress...

Passwords are almost always security's weakest link, unless you have truly exceptional password discipline (i.e. chose a good (long, random) pw, have a different one for every account, use it only in safe contexts, never, ever, ever share it even with your twin-sister-wife-best-friend, never write it down, etc). The problem with sudo, from a security standpoint, is that it adds the weakness of every sudoer's password to the root account. Think about this... the INSECURITY of your root account is increased by the sum of all the weaknesses and password in-displine of all your sudoers.

Let me say this again... with sudo your root account's password security is worse than the worst of the passwords of all the sudoers, it accumulates all the weaknesses, all the indiscretions of all your sudoers.

And don't give me any crap about limiting what commands a sudoer can invoke... with sudo any command/program that isn't specifically written to be a /secure/ SUID program is a conduit to root. To give you only the trivial example, you can't do much sysadmin with editing some root-only files, and most editors have a shell-out function. The moment you give anyone usuful sysadmin capabilities using sudo you've made their password a root password.

To their credit most of the people who wrote here that they like sudo like it for the convenience of logging priviledged actions. This is certainly a good practice. Just understand that it is a PRACTICE, not a security feature... if someone wants to get around it, they trivially can. If you want to log for security you have to do it in the kernel and most Unix kernels have such features nowadays.

So, if you want convenient logging of your own actions, go ahead and use sudo. If you want to /improve/ security, keep it away with a 10-foot pole, minimize the use and impact of all passwords, and use Ssh.

Btw., some ssh implementations can do everything you /think/ you're doing with sudo, such as limiting access to commands to certain users, logging actions, etc. Ssh is the swiss army knife of unix security... it can also be misused, but if you learn how to use it correctly and to its full extend you can stop using passwords and /dramatically/ improve your system security.

:j

Re:Sudo weakens security

[demon]

To give you only the trivial example, you can't do much sysadmin with editing some root-only files, and most editors have a shell-out function. The moment you give anyone usuful sysadmin capabilities using sudo you've made their password a root password.

Yes, yes; that's why there's 'rvi'. (And don't tell me "but what about emacs?" - it doesn't count.) There are some programs that can be run via sudo that aren't going to immediately compromise your security.

Re:Sudo weakens security

[nbvb]

+50 points, you get it.

Security is as strong as the weakest link in the fence. And if one of your folks uses their wife's name as a password, then you're hosed.

Disabling password-login for root, but allowing SSH trusted keys from a trusted host works well.

Re:Sudo weakens security

[jurgen]

rvim is useless. It's not enough to prevent shell-out... that's why I said that was a trivial example. You also have to restrict what files can be edited; for example if I can edit any file that will later get executed or included in a script run as a root I can give myself a root shell... I just add a line that sets the suid bit on an exe I have stashed away somewhere. You could add such a line to i.e. one of the sysconfig/network-scripts/. Since almost all unix system administration involves editing such files, again sudo is useless for general system administration.

The moment you use sudo for more than granting some highly specific operator-level priviledges, such as say starting a backup job, your root security is guaranteed to be weakened by it. And even if you think you /are/ very careful, unless you are a real unix security expert you're probably overlooking something.

:j

Re:Sudo weakens security

[jurgen]

Thanks for your vote of confidence... but my post is still only at Score:3 while all sorts of trivial banter is at Score:5. I guess my post is just too deep for the typical /. moderator. ;-)

Btw, it isn't just the wife's name that's the problem with passwords... even if all your sudoers are top-notch sysadmins and sincerely try to have strong passwords, they probably don't (and shouldn't have to) have the discipline with their personal account passwords that they should and might have with a root password. For example, they might have used their personal password at an Internet cafe, or on a computer infected with some pw-grabbing virus, or any any of a zillion other insecure contexts.

:j

Re:Sudo weakens security

[RuneB]

It's important to remember that you don't have to use passwords with sudo when PAM support is compiled in. You can have sudo use other authentication methods, including public key authentication.

Re:Sudo weakens security

Actually there is no problem with remote root logins via ssh and public key authentication.

Allowing root logins at all may still exacerbate your SSH server's vulns. OpenSSH has a history of vulnerabilities. The modern privsep version may make this point (nearly) moot, but do you know the details well enough to say that none of the potential classes of upcoming OpenSSH vuln reports (and there are vuln reports coming) are not exacerbated by allowing root logins?

Allowing root logins via public key also makes your local system (any secret key-holding system) root-equivalent. If someone compromises your authorized box, they now have the target machine compromised as well. You're a bit better off with an encrypted secret key, but I bet you actually don't encrypt your secret keys, considering the way you've separated the idea of keys and passwords. And a bit better off is not the same as well-off; your compromised system can still be sniffed for secret key passwords. The division between machines that you are suggesting that keys give seems roughly as weak as that afforded by passwords. Now, it is true that the passwords themselves ought to be good. As a sysadmin you should have "exceptional" password discipline. At least among the set of all computer users. Because you're a sysadmin.

with sudo any command/program that isn't specifically written to be a /secure/ SUID program is a conduit to root

The other fella's comments about sudo-specific editing trumps your trivial example and it seems to me that many (non-SUID) programs are made with privilege escalation in mind. Consider ssh. Consider that there are vulnerability reports for various tools regarding things like environment sanitization -- why would they bother? Do you honestly believe there are no tools to which root access can be allowed that won't result in unintended escalation?

Did you know that you can restrict the sudo command lines to specific formulations? For example "sudo touch /foo/bar" and only that exact command? Or exactly "sudo /etc/rc.d/init.d/tomcat restart"? Have you used sudo before? If any command that isn't specifically written to be SUID is a "conduit," you should know that some "conduits" are quite hard to traverse. Especially if you straightjacket them to character-specific formulations.

Let me say this again... with sudo your root account's password security is worse than the worst of the passwords of all the sudoers, it accumulates all the weaknesses, all the indiscretions of all your sudoers.

I wanted to bring this up again just after the preceeding topic because this allegation includes it. The root account's password security is not necessarily tied to sudo access. I recommend you familiarize yourself with how you can enable non-escalating sudo access.

If you want to log for security you have to do it in the kernel and most Unix kernels have such features nowadays.

Not sure what this means. I'll address something perhaps related to what you're trying to address: Logging should be done off-machine so that if the machine is compromised, the log, up until the compromise, can be secured distinctly.

logging priviledged actions. This is certainly a good practice. Just understand that it is a PRACTICE, not a security feature

The practice of logging is a "security feature." Maybe you mean some overloading of this nebulous term? Specifically that it does not hinder elevated access if that access is willed (it may still hinder elevation if the attacker desires not to be logged)? Okay, yeah, logging is not intended for that. It's a good point -- don't confuse the auditing value with mechanical blockade value. Further, don't neglect auditing

Re:Sudo weakens security

[ravenoak]

Sure, sudo *can* weaken security. Sure you can use the stock rules of sudo. Perhaps you just uncommented that line that says: "%wheel ALL=(ALL) NOPASSWD: ALL", and you noticed that you can do things like "$ sudo passwd" or "$ sudo su -" and gain root access. If you have a problem with that, don't put untrusted users in the wheel group, and make a new group for less trusted users that need to run *some* commands as root, and make sudo rules that limit it to just that. Will a small application of thought, it shouldn't really be all that hard.

Re:Sudo weakens security

[�berhund]

But to even use sudo, you have to have already logged into the system. An attacker running sudo would have already had to compromise whatever authentication you're using for logins. And I would guess that the user's private key is stored on said machine, as well. I don't know that public key authentication does much in a local context.

Re:Sudo weakens security

[RuneB]

And I would guess that the user's private key is stored on said machine, as well. I don't know that public key authentication does much in a local context.

The user's private key doesn't have to be on the sudo machine. Something like ssh-agent could be used, where the user only types their passphrase on their local machine (or uses a fancy authentication keycard), and sudo could then ask the agent to sign some random blob of data, verifying that the user has the correct key.

This wouldn't be too much extra work if users are already used to using public key authentication for regular logins.

sudo su is *wrong*

[oldosadmin]

sudo has a command line switch for opening a shell. Therefore, the proper way to open a shell with sudo is

sudo -s

For a good laugh...

BOFH episode 8 - 2006

http://www.theregister.co.uk/2006/02/24/bofh_2006_ episode_8/

Bad Idea

[__aalnoi707]

Users + Root Access = Bad Very Very BAD

Kerberos

[pci]

I like sudo, but if you have people that insist on root access use kerberos for your authentication.

Specifically use ksu which allows you give people a root shell without needing the root password.

Bring back 'goto' arguments

These people confusing best practice for external facing hosts with some unwritten law need to check their clucking, lose the arrogance and consider that every set up will be different. My employers production boxes have access to ssh restricted to local subnet and VLAN. There is no route from the internet to these machines. No real reason to use SSH either but nobody wanted to form the habit of logging in as root using telnet.

Irregardless of root login being permitted or not; if you're performing multiple rolls, even when you have set sane group policies, then a root shell can often be the way to go.

It's not about the root access...

[TBone]

At every mid-to-large company I've worked for (the smallest being a 500 person company that runs some little websites like CingularExtras.com), the problem isn't the root access - they hired you, you work there, and you have the trust to do what you need to do in order to perform your assigned tasks. In the end, whether you do that as root, or as bsmith who runs "sudo su -" or even "su -" doesn't really matter.

What does matter, is accounting for which user ran that "rm -rf /mnt/financialReports" and isn't owning up to it. Or which user made system tuning changes that don't seem to be working right. Or any number of things which may or may not be malicious, but need questions answered.

None of the companies I worked for put sudo on servers to limit what their sys admins could do - they put it on the systems so that they could, if something were to happen, figure out which of their admins they needed to go ask questions of. Files are missing, what were you doing. Server isn't behaving right any more, what was the last thing you worked on.

You can't do any of this (easily) if 5 admins are all logging in as the same user. You can do it fairly trivially if you're logging in as your own id and switching to root.

sudo every time

[Grimwiz]

sudo provides much more than su...
1. It authenticates against the same password that you logged in with, not only saving you from learning two, but allowing you to keep the root password secret.
2. It doesnt always have to allow access to root, "sudo -u user" can be used to give application/db access.
3. sudo remembers your access for a little while, allowing you to single-shot commands, causing less irritation than "su -c"
4. You can control it remotely, e.g. by active directory group. This allows centralised user administration of system admins.
5. You can provide privileged access of single shot commands to batch processes.

Sudo is a hassle

[teklob]

I don't use sudo, but it's safer than logging in as root for day to day activities. I run ubuntu but I usually disable sudo, and set a root password. The whole purpose of have the separation of powers is that your regular user account is 'expendable' and thus the password will necessarily be less secure than the root password.
Also, on several occasions, vmware kernel modules have broken sudo in a way that I cannot use it until I reboot the system.
I always sign in as a user, and when I need root, I open a terminal and su for the entire session.

For me it is about passwords

[YoungHack]

No one ever seems to mention this, but for me I use su with the coworkers who have root access. Reason? Pure and simple, I get to set the root password, and I set it hard. For various reasons having to do with parts of the computing environment I don't control, I can't have the same confidence about non-root passwords.

Using su instead of sudo puts one more barrier in the way. If you cracked a regular user account with liberal sudo access but a weak password, the same weak password gets you to root. That isn't true with su.

why?

If you login as root, don't take a piss break without logging out. Certainly don't walk off and forget about it. This should not be done with normal accounts also, but it is obvious why you really don't want to do this with a root account. Root is not a toy.

BEER?

In a computer?

Your brother is crazy.

Try fruit juice.

Sudo is best. My favorite is..

[tickticker]

sudo su -

takes care of everything!!!

Tick

Neither

My Unix box has sudo installed but it isn't SUID and as such unusable, and I tend to keep it this way. It also doesn't allow remote root login, I think thats an horrible practice, even if you do rely on key based authentication through ssh. Simply because you're overlooking the "what might happen" issue. What if an exploit was found in sshd thus allowing people to bypass the key scan and simply get in no matter what? Then I'd rather have a server where only "Dave, Pete and Sandy @mybox" can logon instead of the commonly known "root@mybox".

RBAC is much better suited for this mission in my opinion. No root privileges just allowing the useraccounts access, either direct or through roles, to the things they need to do (firewall, user, printer, filesystem, etc. - management). Then again, I'm using Solaris 10.

Good use of root

[Phreakiture]

The ability to log in as root can be useful if /home and/or /usr are on their own partitions/discs, and one or the other fails or fails to mount. Of course, bringing the system up in runlevel S can be a better answer in such a case.

It depends..

[muirhejs]

To me, whether or not you use sudo depends on the server and what you are doing. I'm much more likely to act as root on a development server than a production one. If I don't know a lot about the server I'm on or I know it is very critical, I'll use sudo more diligently. However, if I'm on a server doing something I've done plenty of times before, I might 'sudo ksh' to perform my work.

I know SA's that shell out to root without ever incurring a problem-- they've learned the hard way in the past and now have the judgment and experience to be careful. Depending on what's being done, I may do an echo `dosomething here` before I run the command to make sure any variable interpretation occurs as expected.

I also know an very experienced SA who has zeroed out /etc/passwd by misprinting a character. Sudo doesn't protect a bad misprint- it hopefully helps the user identify it before it's too late.

For me, the bottom line is whether the SA needs the reminder to double check his/her work before executing a command. For me, sometimes I have a comfort level to not need the reminder; other times I know that I need to be more careful.

PEBKAC

No Small Actors, Only Small Parts...

"Remember, There are no small Actors......Only small Parts"

Yes, but there are big actors with small parts.