[GRLUG] Distro's - was GRLUG test comment

Ron Lauzon rlauzon at gmail.com
Thu May 4 20:05:24 EDT 2006


OOps.  I replied and didn't realize that this wasn't going to the list:

Tim Schmidt wrote:
> And how am I supposed to know who's account to brute-force?  sudoers
> is only readable by root.
Then the attacker only has to do extra work to force the rest.

Remember that if root password is forceable, then every other one is as 
well.
> I never said sudo was massively more secure.  Just slightly.
I still see no extra security - not even slightly more security.

To create a secure system, you still need a privileged user to maintain 
the system and a normal user to run regular apps under.  I see no 
noticeable difference in security between that and having root enabled.
> Passing around root passwords because it's impossible to let a user
> run just one application with elevated privileges without sudo or
> something like it is not beside the point.
But we have left the topic.

sudo was created to let specific users run specific commands as another 
user.

The topic that we are on is using sudo as a replacement for su and 
having the root account enabled.
> Ok...  here's the drawing...
>
> ==you==
> Root - no restrictions
> User - many restrictions
>
> ==sudo==
> Root - completely disabled
> Admin - Regular user, ability to escalate privileges to do special stuff
> User1 - Regular user, ability to run widgetfrobber with escalated
> permissions because she needs it for her job, restricted otherwise
> User2 - Regular user, many restrictions
And I'm still waiting for the response to my question:
"So what's the difference between that and having a regular user account 
and root enabled?"

I am not saying "don't use sudo".  I am saying that I see no real 
difference in security between having a privileged account that can run 
any command as root with the root account disabled, and having the root 
account enabled and using su.

As a matter of fact, I see less security because, by default, the ONLY 
active account on an Ubuntu install has complete access to the system.  
So unless the installer makes a conscious decision to set up yet another 
account without sudo access, he runs a greater risk of something messing 
up his system.

-- 
Ron Lauzon - rlauzon at acm dot org
  Homepage: http://7lauzon.home.comcast.net/
  Weblog: http://ronsapartment.blogspot.com/

  DNRC: Lord of All Things That Are Fattening

  "To be sure, conservative radio talk show hosts have a built-in
  audience unavailable to liberals: People driving cars to some
  sort of job." - Ann Coulter

Microsoft Free since July 06, 2001
Running Mandriva Linux 2005LE




-- 
Ron Lauzon - rlauzon at acm dot org
   Homepage: http://7lauzon.home.comcast.net/
   Weblog: http://ronsapartment.blogspot.com/

   DNRC: Lord of All Things That Are Fattening

   "To be sure, conservative radio talk show hosts have a built-in
   audience unavailable to liberals: People driving cars to some
   sort of job." - Ann Coulter

Microsoft Free since July 06, 2001
Running Mandriva Linux 2005LE



More information about the grlug mailing list