sudoer vs superuser

hackmiester hackmiester at gmail.com
Sat Apr 2 18:37:25 UTC 2005 

To simplify, basically the user has permission to run SINGLE commands as 
root if he is on the sudoers list. This is safer because (to simplify again) 
in order to kill off the system, he can't accidentally type rm -rf 
/boot/vmlinuz-... . He has to precede it with sudo. He can still kill off 
the system, but only intentionally. :-)

On Apr 2, 2005 12:27 PM, Jonathan Berry <berryja at gmail.com> wrote:
> On Apr 1, 2005 12:41 PM, Matthew Miller <mattdm at mattdm.org> wrote:
> > On Fri, Apr 01, 2005 at 04:56:10PM +0000, hicham wrote:
> > > I would like to know if I give a user an ALL privilege in the 
/etc/sudoers
> > > does he become a superuser than ?
> > > isn't that risky ?
> >
> > The user is effectively superuser, yes. However, it's somewhat better, 
since
> > there's still an active step -- authenticating with your own credentials 
--
> > required to switch into privledged mode.
> >
> 
> Well, it depends on how you set it up. You can set it up to where you
> have to give *your* password, *root's* password (assuming sudo to
> root, it's actually the password of whomever you are trying to
> "become"), or *no* password to use sudo (I believe Fedora's default is
> your password as Matthew said). Using your password or no password
> essentially gives the user superuser access, but that does not mean
> that the user is actually a superuser.
> This makes things a little better than logging in as root. Logging in
> as root is discouraged because of some security risks, such as running
> complex (read: potentially vulnerable) programs due to being logged in
> (such as any of the programs involved with running X), accidentally or
> unknowingly running malicious code (something you downloaded, say),
> and user error (oops, I really didn't want to run "rm -fr /"). As far
> as these considerations go, using "sudo" is the same as using "su -",
> so in this sense, the user is not a superuser.
> A user with sudo privileges must use sudo to do anything that requires
> superuser privileges, and this can be a little more secure because all
> sudo activity is logged and the user does not need to know the root
> password (if so configured). So if you trust the user, then it should
> be safe to setup. If you require the users' password to use sudo,
> then if someone comes along while the user is logged in and away from
> the computer, they will still need a password to use sudo and have
> superuser privileges. One problem is, the user can do "sudo su -" and
> then have a root shell, the activities of which are not logged. To
> echo Mike, look at "man sudo" for more considerations.
> 
> Jonathan
> 
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> 


-- 
-hackmiester
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050402/4a01dce2/attachment-0001.htm>

More information about the fedora-list mailing list