D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] root vs sudo vs su (was Server got hacked)

 
Others will be along to fill in the gap and offer alternatives, but you know by now there are few consensuses in the LUG universe.

(I disagree changing ssh ports is useless btw, but I've argued that already)


Ok, so "root" is a user. Ok, understood. (Not quite sure where the "wheel" group comes in to this, but that's possibly a different topic)

A special user.

Its home dir is /root - which allows you to mess around with the /home directories (a common task) without screwing with your own profile - and if you're doing that remotely may end your connection and leave you in a bit of a pickle.
 
And "sudo" and "su" are commands to run a command as a different user..., i.e. root?? But *buntu's don't have a "root" user, so I'm getting hazy now...

I don't pretend to know much about ubuntu and how it does things. Canonical have made choices over the years that have confused me. I use debian.
 
So, if your friendly hacker has found any user/password combo to gain access, surely they then just type "sudo <bad commands>" and they have exactly the same access level to the box?

IF that user has sudo privileges, which can be quite finely tailored.

Note also that "sudo -s" in a sudo-enabled user grants you effectively root access. (Launches a shell is su mode)

You are assuming that the bad guy has user/pass. If he does, yes, what you describe is true. But if he encounters an existing open shell or intercepts it somehow, he won't know the pass so can't escalate privs. 

He may also have gained access by compromising processes spawned by that user, thus inheriting those privs - again, without knowing their password.

So sudo is very often a good idea.

But I don't use it. I use debian which although can be sudo'd up, is by default root based.
 
I believe that the reason for sudo was to allow a user access to specific commands at a privileged level (i.e. sudo apt-get update) but not others (sudo install rootkit)...

So where does "su" come in to this?

~:man sy

su - change user ID or become superuser

SuperUser. Without an username specified, it assumes root. su as a user, you're prompted for a password. Enter that password and you have root.

su from one user to another, enter that user's password and you effectively login as then.

su from root to any other user and you don't have to enter the password. This in itself is a security measure in that the admin doesn't need to know the user's passwords to do maintenance under their account.
 

And (for a bonus point), why do some distros use one over the other? :o)

Because.

(Seriously - that's the best answer you're going to get.)
 

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq