Suvayu Ali <fatkasuvayu+linux@xxxxxxxxx> wrote: > >On Monday 18 October 2010 09:15 AM, James Mckenzie wrote: >> su - exposes the root password and is generally discouraged. sudo >> does not but exposes which users have this privilege. Logins >> through unsecured means should be disabled or very closely >> controlled. Most SAs now disable or remove unsecure login processes >> at build time. >> > >I am not sure how it is insecure, could you elaborate? At least to me >giving (limited/full) root privileges to an ordinary user seems a lot >more risky. Which is what you are doing with the file below. > >The way I understand it if I have the following in my /etc/sudoers >file, > >%<user_group> ALL=(ALL) ALL > Wow. I would love to be a user on your system. If you understand what sudo does, this would be VERY different. Not to say I would do anything destructive, but access to critical files is exposed to all users, including the default ones and this is a very big security problem. Of course, I expect that you have taken steps to secure your system by changing all default passwords, assigning strong passwords to all users and using /bin/false for all users that are not supposed to log into your system. >then there is no difference (other than the logging) between how the >command is executed as compared to, > >$ su - >Password: ># <command> The difference is the password used. Since you have stated how your system is setup, I will not go further. > >If my understanding is correct, I fail to see the source of the >insecurity. > Giving ordinary, untrusted users root access is a receipe for disaster in most businesses. su - should not be available except from console and sudo should be restricted to only those users who you have determined to be trustworthy and know how to fix their mistakes. Also root's home directory should NEVER be / (root) but rather something like /home/root. I've known of several folks who 'forgot' they were root or had either sudo'd or su -'d and then issued the famous (or infamous) rm -rf * wiping out the system or at least destroying critical files. However, this does not answer the OPs original question: The password used is different for the commands. man sudo should show how to use the command as well as man su. James McKenzie -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
