On Apr 1, 2005 12:41 PM, Matthew Miller <mattdm@xxxxxxxxxx> wrote: > On Fri, Apr 01, 2005 at 04:56:10PM +0000, hicham wrote: > > I would like to know if I give a user an ALL privilege in the /etc/sudoers > > does he become a superuser than ? > > isn't that risky ? > > The user is effectively superuser, yes. However, it's somewhat better, since > there's still an active step -- authenticating with your own credentials -- > required to switch into privledged mode. > Well, it depends on how you set it up. You can set it up to where you have to give *your* password, *root's* password (assuming sudo to root, it's actually the password of whomever you are trying to "become"), or *no* password to use sudo (I believe Fedora's default is your password as Matthew said). Using your password or no password essentially gives the user superuser access, but that does not mean that the user is actually a superuser. This makes things a little better than logging in as root. Logging in as root is discouraged because of some security risks, such as running complex (read: potentially vulnerable) programs due to being logged in (such as any of the programs involved with running X), accidentally or unknowingly running malicious code (something you downloaded, say), and user error (oops, I really didn't want to run "rm -fr /"). As far as these considerations go, using "sudo" is the same as using "su -", so in this sense, the user is not a superuser. A user with sudo privileges must use sudo to do anything that requires superuser privileges, and this can be a little more secure because all sudo activity is logged and the user does not need to know the root password (if so configured). So if you trust the user, then it should be safe to setup. If you require the users' password to use sudo, then if someone comes along while the user is logged in and away from the computer, they will still need a password to use sudo and have superuser privileges. One problem is, the user can do "sudo su -" and then have a root shell, the activities of which are not logged. To echo Mike, look at "man sudo" for more considerations. Jonathan