Sunday, June 22, 2008

su - v. sudo su -

ok, all this ubuntu talk has got me wanting to rant a little bit...

[rant]
sudo su is bad... there's no way around it. i know it's nice to keep users happy by not making them remember yet another password. and yes, it is nice that you have to know the current password to sudo su (in the same way that you have to know the current password to run passwd unless you're root).

this stuff, however, doesn't make sudo su a good thing.

don't believe me eh? all you have to do is check wikipedia (until one of you smartasses changes it):

sudo (super user do; officially pronounced /ˈsuːduː/,[2] though /ˈsuːdoʊ/ is also common) is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user (normally the superuser) ... Before running a command with sudo, users typically supply their password. Once authenticated, and if the /etc/sudoers configuration file permits the user access, then the command is run


ok, so right now you're probably thinking that the quote doesn't support my point at all. stfu. look, just because i can edit the sudoers file to allow sudo to run su doesn't mean it's ok. i mean, i can edit the sshd conf to allow root logins, but do we think it's ok to do? i can install mysql w/ a blank sa password. i can use cleartext instead of crypto. i can find web sites with goat pr0n... wait... erm...

anyway, i understand where this fits in w/ the ubuntu community of being all warm and fuzzy and easy. but i don't have to like it. one problem is that it hinders the ability of windoz converts to understand the significance of the nix security and permissions model. but mostly i hate that it removes a layer of security. we're supposed to be about defense in depth, right?

if you get my password, i'd like it if you have to find a privelege escalation vuln and dig around for a while to root me. just using the same password again to do it seems cheap...

i know macs are kinda similar, and i don't care. and i know it isn't a big deal to most people, and i don't care about that either. i don't like sudo su, and i don't have to... grrr...


rwnin@deadwood:~$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
rwnin@deadwood:~$ sudo su -
[sudo] password for rwnin:
root@deadwood:~# cat /etc/sudoers | grep -v '^#' | sed '/^$/d'
Defaults env_reset
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
root@deadwood:~# logout
rwnin@deadwood:~$

[/rant]

No comments: