[Leaplist] sudo vs su

Kevin Korb kmk at sanitarium.net
Mon Jun 1 11:13:31 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The su command is still trackable.  Most shells log every command that
is typed and if you combine that with last or other system logs you can
tell who was using root at the time and terminal.

To me not installing sudo means one less SUID root program sitting
around potentially allowing privilege escalations.

Sudo is useful for the rare case that you want to give a non-admin
person limited root access and don't want to write a proper wrapper or
client/server app for it but other than that I would consider it to be
potentially dangerous cruft.  In other words if the word ALL appears in
your sudoers file you are using it wrong and if you aren't using it it
shouldn't be installed.

Richard F. Ostrow Jr. wrote:
> Ok, now that we're actually talking in the right topic, here's the
> _correct_ answer.
> 
> su - input not logged, difficult to backtrace what was done in the event
> of a catastrophic screwup (rm -rf /)
> 
> sudo - can easily track what was done. Everything put into sudo goes into
> /var/log/{hostname}/messages of the remote logging system. An 'rm -rf /'
> would be logged on the remote machine, and I would know *exactly* who was
> stupid enough to do such a thing, and can make them clean up the mess.
> 
> I wonder which one is better from an SA standpoint?
> 
> 

- --
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
	Kevin Korb			Phone:    (407) 252-6853
	Systems Administrator		Internet:
	FutureQuest, Inc.		Kevin at FutureQuest.net  (work)
	Orlando, Florida		kmk at sanitarium.net (personal)
	Web page:			http://www.sanitarium.net/
	PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoj8BsACgkQVKC1jlbQAQeLAQCgvbwspMGlZIWAcyLQfYagF79V
4U4AoJ+OzvevlGM0HnfZLJmswTMQiUwO
=Gxrg
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Leaplist mailing list