sudo, not su.

Albert Cahalan acahalan at gmail.com
Fri Dec 21 00:40:40 EST 2007


Various people write:

> yes, having a root password is generaly bad, as it is what
> most attackers will try first.

With "olpc" being a well-known account, this security-by-obscurity
doesn't gain you anything.

> Yes, I think logging in directly as root is a misfeature that should
> go away.  Most of the other unix-derived platforms have been doing
> their best to kill it off or at least reduce its attractiveness...

There is no misfeature here, excepting the case where one starts
up the whole GUI as root. Sugar doesn't provide an easy way to be
run as root; it's not like some GNOME login thing.

If anything, Linux is going the other way. On a highly secure
Linux system, it is not possible to obtain full privileges unless
you log in directly on the console. You can't get full privilege
with sudo, su, or ssh. (mere "root", UID==0, won't do the job)

BTW, this is not a bad solution. Simply remove the setuid bit
from both sudo and su. To log in as root, press Alt-Ctrl-Fn-2.
As a bonus, you get rid of some setuid programs.

Blocking access to all setuid programs would be far better.
I found 17, many of which have previously had holes. You're
not thinking with a security mindset until you assume that
more holes will be found.

> Yeah ... sudo is more secure than su.

I really worry about this kind of misconception. It seems that
sudo gives people a false sense of security. That alone makes sudo
a hazard.

The XO will not be logging sudo commands to a remote system, and
won't have multiple users authorized to run such commands. There
goes the main point of having sudo. Remember that sudo comes from
the world of server administration, where multiple poorly-trusted
people (employees) will need to perform root-only tasks. With sudo
you gain some weak accountability. That doesn't help on the XO.



More information about the Devel mailing list