Sudo: A better way to secure root
Taken from TechRepublic Email. Jan 4, 2002.
Join Up for their mailing lists. They have lots of
good stuff.. :D
We've all been taught that logging in as root is bad and that we should use su instead. While this is good practice, there are better tools to use than su. Sudo is a tool that gives fine-grained permissions to users to do things as root.
Whereas, su is a global tool, if you issue the command su alone and you know root's password, you'll receive a root shell. This can be dangerous because it requires you to give complete trust to someone doing something on your box that can only be done as root, such as restart a Web or mail server.
With sudo, you can define who gets to do what as root. In addition, you don't need to share the root password, and other users don't get full root shell access.
You can download sudo from the Courtesan Web site ; however, most Linux distributions already come with sudo. If it isn't already installed, sudo should be available on your installation CDs as an optional package.
Something else you can do with sudo is lock access to su. If you strip the setuid bit from /bin/su and grant a user access to use su via sudo, you can prevent people who might guess your root password from becoming root. Only the user you've given permission to execute su, as root, will be able to use it