On 6/26/05, Michael A. Peters <mpeters@xxxxxxx> wrote: > On Sat, 2005-06-25 at 23:15 -0500, Jonathan Berry wrote: > > Hi all, > > > > I've noticed that with FC4 if I use "sudo su -" to get a root shell > > and try to open an X application (like a GUI text editor, for > > instance) I get the error: > > Xlib: connection to ":0.0" refused by server > > Xlib: No protocol specified > > I saw this mentioned elsewhere in context of pam_console and it seems to > be a bug - but really, it is a BAD idea to allow sudo to do anything > that can result in a root shell. Really bad idea. I know that is the > default on OS X - but OS X has a lot of bad defaults (which why everyone > except me has to fix permissions so often - I never log into OS X as an > admin and thus permissions never get screwed up) Hi Michael, Okay, well a bug would explain the difference in behavior. Yeah, I almost placed a disclaimer about knowing the security risks. I only have one user, me, and I trust myself fairly well. The problem is, looking at "man sudo" there are all kinds of gotchas that could allow someone who really wanted to to get a root shell by various means other than just "sudo su -" So to give me this security and still be able to use sudo for general admin purposes (access to most admin programs) would take too much effort for the little bit of security gained. > sudo is to allow certain users to be able to run certain tasks that they > otherwise would not have sufficient privilege to run. It should ONLY be > used for users who should not have the root password, but for which > other authentication mechanisms (such as pam and/or suid) are not proper > ways to give them access to something they need to do (IE a shell script > that needs permission to mount an iso image over loopback, or a junior > admin who needs permission to restart apache) You can configure sudo to run in several different ways. In some ways, it is not really any different from su, except that sudo has logging capability, so you have an audit trail to see what commands have been run with sudo. Of course, if someone gets a root shell, then they could edit that audit trail so that everything they do is hidden. There are always loopholes in security. One must pick the battles that are worth being paranoid over :). The reason I am using sudo is for convenience. I set it up with the NOPASSWD option, which is not great for security, but as I said, this is a personal, single user box. I like having full control of my box, but I don't want to log in as root as I do recognize the security risks associated with that as being sever enough to warrent concern. > The problem with sudo is that if sudo is configured to allow a user to > spawn a shell, then the root account is no more secure than that users > password. Honestly, my user's password is probably better than root's at the moment ; ). I like to have long passwords (> 20 chars, with all types). It's just nice to only type that in once to log in and then be able to do whatever with sudo. > If you want to run a single command as root and you have root access, > you can do so via > > su --command="command to run" This is the kind of thing sudo was made for. I do use it this way for some stuff, but if I need to do severl commands involving admin stuff, I'll usually just open up a root shell. > If you need a root shell, use su - (or just plane su if you don't need > to get roots environment) I could do that and just have to type root's password once to get a shell. That may be my best option. What I do is have a gnome-terminal profile called root that runs "sudo su -" so I can have a root shell in a tab with a red background that reminds me to "be careful" :). The sudo just allows me to skip the password. > It is a bad idea to use sudo to become root. Even on OS X - which seems > to be what made the notion of doing that popular. Again, using sudo is a matter of convenience for me. I see the benefits of not having to type root's password each time I want to be root outweigh any possible security risks, which seem minor considering my long password, the fact that there is only one user on the box, and there is a hardware firewall between the Internet and it. I think the one user password is enough protection here. In another environment, I would mostly agree with your comments :). I don't know about OS X (ahh, okay, just noticed your email address :) ), but I have installed Ubuntu to see what it is like and it uses sudo exclusively. Only users in a special admin group have access and have to type *their* password to use sudo or the similar X helper stuff for GUI admin tools. root is locked out and cannot login. It's a different security model and is interesting. There are certainly pros and cons of both approches (sudo with user password or su - with root password). Jonathan