Got Root - Should You Use It?

vegthura asks: "I have several coworkers that insist that logging into servers is an acceptable practice. They claim it's just easier than using sudo and it's just as safe - you know you're root so what else do you need? And why bother logging in as you if you're just going to use sudo to run commands with root privileges anyway? Everything I've ever read has been the exact opposite philosophy. There is very little you need to be root to do, if anything in practice, and using sudo lets you only use the power of root for when you really need it. So, die hard unix geeks, you've got root... do you use it or stick to sudo?"

Sudo wins for me

[Smitedogg]

Using sudo, you can allow 'some' root commands to other users/admins without opening up the vault, and you can do a lot of smart things like keep root unable to be logged into, or have a true strong password that you can lock in a safe somewhere, all without losing functionality.

More than just root

[Sentry21]

Using sudo provides a host of benefits besides giving you root. Sudo allows you to grant access to specific users for specific commands, and then revoke those commands later. Compare this with giving the root password to everyone, which requires the password to be changed whenever someone leaves the company (or someone's root privs are revoked).

I can grant access via sudo to users for specific commands, without giving them complete administrative access to the entire system.

When I'm using 'sudo' to do things, my environment stays the same. This means that my $PATH variable stays the same, and so does my prompt. It means that any time I say ~ it refers to /home/myusername and not /root, meaning I can get to it later.

When I'm not using sudo and I do 'cd /var/www/certs/domainname/' and it doesn't give me an error, I know that the permissions are wrong on that directory (more of a reminder than anything). I've gotten so used to this on most systems that the series of commands I use to access the IMAP virtualhost directory is essentially 'cd /var/spool/postfix/virtual; sudo bash; cd /var/spool/postfix/virtual', which slows me down surprisingly not much.

It doesn't take much to hit the up arrow, Ctrl-A, type 'sudo ' and then hit enter if you find you need to.

I can set in ~/.bash_profile that I want rm to use -i by default (alias rm='rm -i') for safety, which carries over into my 'sudo' environment; doing this for root by default can cause e.g. cronjobs to hang, waiting for input that will never come.

The benefits of sudo are not limited to 'gaining root' - they are multitudinous, and apparently your coworkers have never considered versatility to be a benefit; nor, for that matter, have they done likewise for security. Perhaps they should be educated.

Sudo

[doon]

I even use sudo on my *nix boxes @ home. I am a firm believer in sudo. mainly since if I do something stupid with it, I have a log of what it was. We also use sudo at work on all of our boxes(40+), to me it just makes it easier, and makes for one less password to remember. ALso the majority of tasks that I need to do, I can do as myself, there are some tasks, such as restarting services,etc that I need root to be able to do, so as opposed to su'ing over to root, (we don't allow root logins), it is just as easy to sudo the command. Once we get around to hiring a Jr admin, we will use sudo to limit what they can access.

Re:Use sudo rarely?

[techno-vampire]

Maybe I am missing something somewhere, but the 'use sudo if you absolutely need root' is crap.

You are. The right way to say it is, "Use sudo if you only need to run one command as root; log in as root only when you're going to need to do a number of things that require root."

As a side-note, somebody upstream noted that sudo doesn't change your environment, but becoming root does. If you don't need root's environment, just use su, instead of "su -" and you keep your current location, $PATH and other things.

Logging Who's On.

[Stephen+Samuel]

If you've got a half dozen (or dozens of) people who have root login, and something goes on, all you have with a quick look at the log is that someone logged in at 4:15 pm and the system choked at 4:18.

If you force people to login as themselves and then SU (or sudo), then you know who was on the system with root when the system snarked ( And, if they use sudo instead of su, you can even have logs of the commands they used) -- it cuts down on the number of people you have to interview in the rush to figure out what broke the system.

Then, there's also the fact that if someone tricks you into doing something 'bad', it's less likely to catch you flatfooted as root if the only commands you exeute as 'root' are the ones that really need root.

As a last point: If you disable root logins (especially remote root logins), then a hacker needs to hunt down two passwords to get root access -- one for remote access and the other to get root.

Security isn't about making it impossible for an intruder to get in -- It's about making it hard enough that an attacker gives up and goes away -- even if they just go find an easier target (hi bill!).

Audit trail

[horatio]

In addition to the things the parent mentioned about privilege seperaration and permissions, sudo (if configured correctly) gives you an audit trail of what was done by whom and when. If someone fscks the database server, you'll know exactly who to beatdown and where to look for a restore point in your backups.

Apr 16 01:30:30 karma sudo: joeuser : TTY=pts/0 ; PWD=/home/joeuser ; USER=root ; COMMAND=/usr/bin/tail /var/log/auth.log

It will also let you know if someone is trying to do something you haven't authorized for them in the sudoers file.

On systems where I'm the only user, I almost always use a non-root account to do normal tasks. sudo lets me elevate privileges for the command I need to, ie

$ apt-get install reallycoolwidget

, and then drops back down so I don't forget to exit myself. sudo (generally) does not require you to retype your password for every command, there is a timer. If you're dumb|busy enough to walk away and leave your terminal unlocked, after a few minutes the next sudo attempt will ask for your password again.

One thing to remember, use visudo, not vi /etc/sudoers. The syntax check will likely save your ass one day.

Sudo weakens security

[jurgen]

The main problem with sudo is that it weakens security.

It seems that this is surprising to a lot of people because nobody has mentioned this, and people have mentioned that you should never allow remote root logins, yadda, yadda.

Actually there is no problem with remote root logins via ssh and public key authentication... just don't use/allow passwords. I'm continually amazed by how few people understand this, especially considering that practically everyone and their dog already uses ssh for everything anyway (except they use it as though it was telnet... doh!). Ssh is the best thing that ever happened to Unix security, but 99% of people, including sysadmins it appears, use only 1% of its power because they do not understand public key authentication. But I digress...

Passwords are almost always security's weakest link, unless you have truly exceptional password discipline (i.e. chose a good (long, random) pw, have a different one for every account, use it only in safe contexts, never, ever, ever share it even with your twin-sister-wife-best-friend, never write it down, etc). The problem with sudo, from a security standpoint, is that it adds the weakness of every sudoer's password to the root account. Think about this... the INSECURITY of your root account is increased by the sum of all the weaknesses and password in-displine of all your sudoers.

Let me say this again... with sudo your root account's password security is worse than the worst of the passwords of all the sudoers, it accumulates all the weaknesses, all the indiscretions of all your sudoers.

And don't give me any crap about limiting what commands a sudoer can invoke... with sudo any command/program that isn't specifically written to be a /secure/ SUID program is a conduit to root. To give you only the trivial example, you can't do much sysadmin with editing some root-only files, and most editors have a shell-out function. The moment you give anyone usuful sysadmin capabilities using sudo you've made their password a root password.

To their credit most of the people who wrote here that they like sudo like it for the convenience of logging priviledged actions. This is certainly a good practice. Just understand that it is a PRACTICE, not a security feature... if someone wants to get around it, they trivially can. If you want to log for security you have to do it in the kernel and most Unix kernels have such features nowadays.

So, if you want convenient logging of your own actions, go ahead and use sudo. If you want to /improve/ security, keep it away with a 10-foot pole, minimize the use and impact of all passwords, and use Ssh.

Btw., some ssh implementations can do everything you /think/ you're doing with sudo, such as limiting access to commands to certain users, logging actions, etc. Ssh is the swiss army knife of unix security... it can also be misused, but if you learn how to use it correctly and to its full extend you can stop using passwords and /dramatically/ improve your system security.

:j