[plug] Interesting command that may make root access more fun ..

Daniel Foote freefoote at gmail.com
Sat May 26 00:05:27 WST 2007


> `sudo su [-]`
> is the standard way to get root on systems that don't have a root account.
> However I think this is a bad way to go about things, as giving sudo
> permissions for 'su' is as good as giving the user the root password.
> The whole reason sudo was made was to be able to give non-root users
> the ability to use /some/ root commands without giving them the kind
> of total control that a root user has. This way root could setup the
> sudoers file to give access to certain types of commands to different
> users or groups. Ie, give users in the 'reboot' group the ability to
> restart the system.
>
> I know that the idea of disabling a pure root account was to help home
> users to understand not to use root privileges by default, but when
> people start doing things like this from ordinary accounts it defeats
> the purpose.

Hmm... I think using sudo in this way is a good balance between
security and usability. I set up sudo (on my Debian boxes) to allow
any root command from my usual user account (daniel), but only after a
password - same as the Ubuntu default.

This means that simple stuff you want to do as root is simply done,
without having to become root first. Here's an example - I use XFCE
and have the "verve" command line plugin on the panel. Let's say I
want to do some packet sniffing - I type "gksudo wireshark" into the
command like, it asks me for the root password, and I'm in. Without
this, I would either have to have a desktop/application link set up
for this (which wireshark usually ships with), or start a terminal,
become root, and then start wireshark.

In other (multiuser) installations I've tuned sudo to give certain
people minimal actions (shutdown, reboot, few commands that they need
to be root for), and some other users (me) full access with sudo. This
also means that on these machines, the root password is rarely used -
I think it's easier to revoke priviledges from users than changing the
root password.

But that's my $0.02 worth.

Daniel Foote.



More information about the plug mailing list