Would you enable sudo instead of using the root user account?
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
View Poll Results: Would you configure sudo if it isn't configured by default?
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Would you enable sudo instead of using the root user account?
I recently installed OpenMandriva Lx 4.0 and upon having a look through it's website discovered the fact it uses sudo by default. As I remembered before reading it's website that my password for my normal user account worked for mounting my other fixed drive that wasn't in fstab at the time. So I had a look at which user groups my normal user was a member of, and the "wheel" group was one of those groups (that I've since removed it from). Anyways, this prompted me to have a look at the "sudoers" file in /etc and sure enough the "wheel" group is listed in that file with ALL root permissions for sudo.
So I checked to make sure my normal account can no longer use sudo (because I can just su into root if I need to do anything that needs root permissions, and personally for a standalone PC like mine, I don't see any need for sudo), and sure enough, I get the output below. To be clear: I DO see the point in sudo in a enterprise/business situation - horses for courses.
Code:
james@jamespc: ~> sudo cd /root
[sudo] password for james:
james is not in the sudoers file. This incident will be reported.
Reported to who? Me? I asked myself if I was trouble, myself said he'll forgive me
But anyways, the question is: would you enable sudo on a distro that doesn't configure it by default, instead of using root itself (or both)?
Distribution: openSUSE(Leap and Tumbleweed) and a (not so) regularly changing third and fourth
Posts: 629
Rep:
Quote:
Originally Posted by jsbjsb001
But anyways, the question is: would you enable sudo on a distro that doesn't configure it by default, instead of using root itself (or both)?
(I'm mainly asking for a standalone situation)
I use su almost always but sometimes it's more convenient to use sudo. Opensuse seems to do it differently from other disros that I've tried and I always reset sudo to work that way. It uses the root password, so unless you know the root password on my system, you can't use sudo or su.
I answered "no" in the poll since I wouldn't use sudo for general root privileges. I do have sudo configured for running some specific harmless commands (with NOPASSWD) from cron scripts (example: reading the hit counts from certain iptables rules).
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Original Poster
Rep:
FYI teckk: I DON'T login to the GUI as root, I only su to root at the command-line/terminal (usually only in a terminal window). But that said, I don't see anything wrong with running a text editor as root. But I wouldn't be running my web browser as root tho.
But that said, I do agree one should make sure they only use root only when necessary.
Your second link does raise an interesting point though; does sudo actually make your system less secure, because it may lower you into the false belief that you can rely on a program to "protect" you from yourself - instead of the onus being on yourself to think about what you're doing before doing it? Interesting question.
Last edited by jsbjsb001; 08-13-2019 at 11:31 AM.
Reason: addition
Distribution: Mainly Devuan, antiX, & Void, with Tiny Core, Fatdog, & BSD thrown in.
Posts: 5,518
Rep:
I wouldn't bother configuring it myself, but I have no problem with it being default on distros for personal use, after all, you still have to enter your password, & no one else should know it but you.
I wouldn't bother configuring it myself, but I have no problem with it being default on distros for personal use, after all, you still have to enter your password, & no one else should know it but you.
In my latest installation I have enabled sudo, for group "wheel" only (which I'm part of, of course) but in actual fact I almost never use it, too much used to going su instead.
Sudo is not designed to be used the way the *buntus use it. I've not yet seen a convincing argument for the *buntus' creepy sudo fetish.
The only legitimate use for sudo is to give selected higher privileges to a users who need them to perform their functions, such as, for example, giving a webmaster the ability stop and restart apache.
All my machines have random, unknown root passwords or locked root accounts. I always use sudo. I have it configured so that I'm prompted to provide my user password for everything with maybe one or two exceptions. If I want to do more than a few commands as root I do:
Code:
sudo -i
It works well. A better question to ask me is "Would you enable direct root access, rather than use sudo". To which I would reply: no.
A better question to ask me is "Would you enable direct root access, rather than use sudo". To which I would reply: no.
The main thing is that with su (and sudo, correctly configured) someone who wants to break into your system needs TWO passwords: that of a (your?) userid AND that of root. Makes becoming root a bit more complicated and thus safer.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by frankbell
Sudo is not designed to be used the way the *buntus use it. I've not yet seen a convincing argument for the *buntus' creepy sudo fetish.
The only legitimate use for sudo is to give selected higher privileges to a users who need them to perform their functions, such as, for example, giving a webmaster the ability stop and restart apache.
i agree. However, on a one-use system I find sudo is useful for running scripts with mixed priveledges when installing things. That may, actually, be bad, but I don't see any evidence of it yet (by this I mean installing something as a user but making some root-level changes without having to log in again and run a seperate script).
I like sudo because I can give access to certain things for users, while not giving them full root. I like having a root account because if I let my password expire and forget what it was, I still have a way to get into the machine to reset my account password (or in some of the dev servers, I actually just log in as root to do sysadmin stuff, I know, shame on me, but I didn't feel like creating myself an account). So I voted both.
The main thing is that with su (and sudo, correctly configured) someone who wants to break into your system needs TWO passwords: that of a (your?) userid AND that of root. Makes becoming root a bit more complicated and thus safer.
Perhaps.
Though if my machine was compromised I'd be far more concerned with what they've done with my data in terms of copying it or modifying it. Not to mention some hackers go out of their way, or are not interested in root access. They can achieve their goals with the user they've managed to get access as. For example, root access is not required to put a key logger on most people's machines. Putting an appropriate script or .desktop file in the appropriate session startup directory, or even just modifying .bashrc. A huge amount of damage can be done without root access.
Also, there are other measures you can take besides passwords. For example, if you knew my password you would either need physical access to my machine and my passphrase for decrypting the drive or for remote access OpenVPN keys and certs and my private ssh key.
If you had convinced my to run a script/software that gave you a back door, yes you would only need to know one password. But, if the situation was reversed I'd only need to know your root password, not your user password. Same, same.
Also, at work, we use sudo ACLs extensively, hardly anyone has an ability to acquire a root shell. I can run a explicit small list of commands depending on the machine. When used this way sudo is far more secure, and even provides an audit of who did what or attempted to do what, when and where from.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.