[ale] bash commands

Brian Mathis brian.mathis+ale at betteradmin.com
Mon May 21 02:42:41 EDT 2012


There is an ENORMOUS difference between using "su" and "sudo -i", and
it's big enough that any old codgers out there should learn this new
trick:

    To use 'su' you need the ROOT password.
    To use 'sudo', you need YOUR password.

In any environment outside of your personal desktop, this is a huge
difference.  Securely distributing the root password to any number of
sysadmins, keeping track of who has it, and changing it every time
someone leaves (and redistributing the changed password) is a
nightmare, and it also violates most accepted rules of good security
(using shared passwords).

If you grant root access through sudo, even if admins use 'sudo -i',
you only need to manage the sudoers file and you can forget about the
root password issue.  You still need to keep track of the root
password, but now you can set it to some long random string and keep
it locked in a safe somewhere.  You also get an audit trail of who's
logging in and switching to root, even if you don't get a full audit
of every command they run.


❧ Brian Mathis


On Sun, May 20, 2012 at 9:30 PM, matt <ur.matt at gmail.com> wrote:
> Why not just log in as root and stomp around if you're going to use sudo -i?
>
> On Sun, May 20, 2012 at 6:27 PM, matt <ur.matt at gmail.com> wrote:
>> sudo -i is definitely bad practice, it completely negates the purpose of
>> using sudo in the first place.
>>
>> On Sun, May 20, 2012 at 6:19 PM, Brian Stanaland <brian at stanaland.org>
>> wrote:
>>> I use 'sudo su -' which gets you the complete root experience.
>>>
>>> -- Brian
>>>
>>> On Sun, May 20, 2012 at 9:10 PM, Mike Harrison <cluon at geeklabs.com>
>>> wrote:
>>>>
>>>> On Sun, 20 May 2012, Jim Lynch wrote:
>>>> > If that's current thinking, then it's changed.  I've been
>>>> > administrating
>>>> > Unix systems for about 25 years.  Sudo didn't exist and you needed to
>>>> > su
>>>> > in order to do admin tasks.  It was accepted and expected.  You
>>>> > couldn't
>>>> > install SunOS, HPUX, UNICOS or Irix without it.  I'm afraid this old
>>>> > dog
>>>> > isn't learning new tricks, I use sudo -s or sudo -i on a regular basis
>>>> > when I don't have su enabled.
>>>>
>>>> I use sudo -s on my desktop when I need to do root things. Saves a lot
>>>> of
>>>> time and typing over "sudo foo" for every command. On a desktop, normal
>>>> user system.. it seems to be the "right way". Be a user for user things,
>>>> become almost root for doing admin stuff on my box.
>>>>
>>>> On a server.. there is only root for most sysadmin tasks. I've only been
>>>> running Linux since 94.. but have also worked on DG Nova's, SCO unix,
>>>> Slowlaris, etc.. but it seems to be the right way to admin a server.
>>>> If you can't handle SSHing in/logging in as root..  you should not be.
>> --
>> Matt Urbanski | iflowfor8hours.info | @iflowfor8hours
> --
> Matt Urbanski | iflowfor8hours.info | @iflowfor8hours



More information about the Ale mailing list