Results 1 to 2 of 2

Thread: Sudo: A better way to secure root

  1. #1
    Senior Member
    Join Date
    Sep 2001

    Sudo: A better way to secure root

    Taken from TechRepublic Email. Jan 4, 2002.
    Join Up for their mailing lists. They have lots of
    good stuff..

    We've all been taught that logging in as root is bad and that we should use su instead. While this is good practice, there are better tools to use than su. Sudo is a tool that gives fine-grained permissions to users to do things as root.

    Whereas, su is a global tool, if you issue the command su alone and you know root's password, you'll receive a root shell. This can be dangerous because it requires you to give complete trust to someone doing something on your box that can only be done as root, such as restart a Web or mail server.

    With sudo, you can define who gets to do what as root. In addition, you don't need to share the root password, and other users don't get full root shell access.

    You can download sudo from the Courtesan Web site ; however, most Linux distributions already come with sudo. If it isn't already installed, sudo should be available on your installation CDs as an optional package.

    Something else you can do with sudo is lock access to su. If you strip the setuid bit from /bin/su and grant a user access to use su via sudo, you can prevent people who might guess your root password from becoming root. Only the user you've given permission to execute su, as root, will be able to use it
    \"Isn\'t sanity just a one trick pony anyway? I mean, all you get is one trick. Rational Thinking.
    But when you\'re good and crazy, hehe, the skies the limit!!\"

  2. #2
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Hell yeah, sudo is like can't have a unix system (or linux) without it! It's saved much time for user administration for who has to have access to root w/o giving out the root password and such. So far, it's been one of the top 5 "must install" programs.

    Add in the fact that you can create groups and create command groups, you can lock down users exactly how you want it.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts