<p>I agree with you buddy. There are 2 ways to use root privileges. If you ned to run 1 command as root, then "sudo command". If you need to become root to do many commands, then "sudo su -". Everything else, root password sharing, sudo -i, etc., is rubbish. If you are scripting a process that must run root commands on remote servers, then maybe it gets tricky. But for 98% of what an admin needs you only need those 2 things.</p>
<p>Oh, and about GUI... You can buy an ointment that will clear that up in a few weeks, but I prefer to start away entirely.</p>
<div class="gmail_quote">On May 21, 2012 2:43 AM, "Brian Mathis" <<a href="mailto:brian.mathis%2Bale@betteradmin.com">brian.mathis+ale@betteradmin.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
There is an ENORMOUS difference between using "su" and "sudo -i", and<br>
it's big enough that any old codgers out there should learn this new<br>
trick:<br>
<br>
To use 'su' you need the ROOT password.<br>
To use 'sudo', you need YOUR password.<br>
<br>
In any environment outside of your personal desktop, this is a huge<br>
difference. Securely distributing the root password to any number of<br>
sysadmins, keeping track of who has it, and changing it every time<br>
someone leaves (and redistributing the changed password) is a<br>
nightmare, and it also violates most accepted rules of good security<br>
(using shared passwords).<br>
<br>
If you grant root access through sudo, even if admins use 'sudo -i',<br>
you only need to manage the sudoers file and you can forget about the<br>
root password issue. You still need to keep track of the root<br>
password, but now you can set it to some long random string and keep<br>
it locked in a safe somewhere. You also get an audit trail of who's<br>
logging in and switching to root, even if you don't get a full audit<br>
of every command they run.<br>
<br>
<br>
❧ Brian Mathis<br>
<br>
<br>
On Sun, May 20, 2012 at 9:30 PM, matt <<a href="mailto:ur.matt@gmail.com">ur.matt@gmail.com</a>> wrote:<br>
> Why not just log in as root and stomp around if you're going to use sudo -i?<br>
><br>
> On Sun, May 20, 2012 at 6:27 PM, matt <<a href="mailto:ur.matt@gmail.com">ur.matt@gmail.com</a>> wrote:<br>
>> sudo -i is definitely bad practice, it completely negates the purpose of<br>
>> using sudo in the first place.<br>
>><br>
>> On Sun, May 20, 2012 at 6:19 PM, Brian Stanaland <<a href="mailto:brian@stanaland.org">brian@stanaland.org</a>><br>
>> wrote:<br>
>>> I use 'sudo su -' which gets you the complete root experience.<br>
>>><br>
>>> -- Brian<br>
>>><br>
>>> On Sun, May 20, 2012 at 9:10 PM, Mike Harrison <<a href="mailto:cluon@geeklabs.com">cluon@geeklabs.com</a>><br>
>>> wrote:<br>
>>>><br>
>>>> On Sun, 20 May 2012, Jim Lynch wrote:<br>
>>>> > If that's current thinking, then it's changed. I've been<br>
>>>> > administrating<br>
>>>> > Unix systems for about 25 years. Sudo didn't exist and you needed to<br>
>>>> > su<br>
>>>> > in order to do admin tasks. It was accepted and expected. You<br>
>>>> > couldn't<br>
>>>> > install SunOS, HPUX, UNICOS or Irix without it. I'm afraid this old<br>
>>>> > dog<br>
>>>> > isn't learning new tricks, I use sudo -s or sudo -i on a regular basis<br>
>>>> > when I don't have su enabled.<br>
>>>><br>
>>>> I use sudo -s on my desktop when I need to do root things. Saves a lot<br>
>>>> of<br>
>>>> time and typing over "sudo foo" for every command. On a desktop, normal<br>
>>>> user system.. it seems to be the "right way". Be a user for user things,<br>
>>>> become almost root for doing admin stuff on my box.<br>
>>>><br>
>>>> On a server.. there is only root for most sysadmin tasks. I've only been<br>
>>>> running Linux since 94.. but have also worked on DG Nova's, SCO unix,<br>
>>>> Slowlaris, etc.. but it seems to be the right way to admin a server.<br>
>>>> If you can't handle SSHing in/logging in as root.. you should not be.<br>
>> --<br>
>> Matt Urbanski | <a href="http://iflowfor8hours.info" target="_blank">iflowfor8hours.info</a> | @iflowfor8hours<br>
> --<br>
> Matt Urbanski | <a href="http://iflowfor8hours.info" target="_blank">iflowfor8hours.info</a> | @iflowfor8hours<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div>