yearke at eng.buffalo.edu
Thu May 26 08:28:50 EDT 2005
>Sudo is cool because it allows users to execute
>commands as root without giving away the root password. The users
>allowed to use this and the commands they execute are adjustable so not
>everyone can use it and not all commands are available.
The other great thing about sudo is that it logs every invocation, which is not
only useful for security reasons, but has also saved my hide on occasion when I
realize a system is doing something strange and need to figure out what's been
done to it recently. I have a terrible memory, and the sudo log can help me
remember that I, or some other admin, changed a config file or started some new
daemon or something like that. We strongly discourage su in favor of sudo for
that reason alone.
The only downside is that it opens up multiple points of vulnerability for the
root password. If you think about it, on a normal system the root account
password is a single point of vulnerability. On a system with sudo, the password
of anyone with full sudo permission is now a vulnerability, because it's easy to
do "sudo su -" and have carte-blanche root access. Another reason why admins,
more than anyone else, need to use strong passwords.
All in all, though, sudo rocks. :-)
Dave Yearke, yearke at eng.buffalo.edu
"Remember, you may have to grow old,
but you don't have to mature". -- Red Green
More information about the nflug