[Leaplist] sudo vs su

John Simpson jms1 at jms1.net
Mon Jun 8 23:13:17 EDT 2009 

On 2009-06-01, at 1101, Richard F. Ostrow Jr. wrote:
>
> su - input not logged, difficult to backtrace what was done in the  
> event
> of a catastrophic screwup (rm -rf /)
>
> sudo - can easily track what was done. Everything put into sudo goes  
> into
> /var/log/{hostname}/messages of the remote logging system. An 'rm - 
> rf /'
> would be logged on the remote machine, and I would know *exactly*  
> who was
> stupid enough to do such a thing, and can make them clean up the mess.
>
> I wonder which one is better from an SA standpoint?

my job involves administering about 100 linux machines. here's one  
thing i personally like about "sudo"...

my non-root account uses tcsh, with a customized set of aliases and a  
visually distinctive prompt (so i can tell where the commands are when  
scrolling back up in a window.) even if root uses an un-modified bash  
with the boring "[hostname] #" prompt, if i log into my own account  
and do "sudo -s", it makes me root, running tcsh, using the .tcshrc  
from my non-root user's home directory, which gives me all of my  
aliases and the special prompt, only running as root. this is because  
"sudo" doesn't re-write the HOME and/or SHELL variables.

the one problem with this is that, when i do this, the HOME variable  
points to my non-root user's home directory. which is fine when tcsh  
starts and is looking for a .tcshrc file, but it's a bit confusing  
when you start entering commands. so my .tcshrc file has the  
following...

setenv OLDHOME $HOME
if ( $LOGNAME == "root" ) then
     set path=( /usr/bin /bin )
     set newhome=`grep ^root: /etc/passwd | cut -d: -f6`
     if ( $newhome != "" ) then
         setenv HOME $newhome
     endif
endif

... so that AFTER it's already reading the .tcshrc file from my non- 
root home directory, the shell has a HOME variable which points to  
root's home directory, as you would normally expect.

----------------------------------------------------------------
| John M. Simpson    ---   KG4ZOW   ---    Programmer At Large |
| http://www.jms1.net/                         <jms1 at jms1.net> |
----------------------------------------------------------------
| http://video.google.com/videoplay?docid=-1656880303867390173 |
----------------------------------------------------------------





-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://lists.leap-cf.org/pipermail/leaplist/attachments/20090608/c9b705f4/PGP.bin

More information about the Leaplist mailing list