What is the difference between "su" and "sudo" ?
in [General Linux]
|
Prev: chdir usage
Next: how to alias
From: John Hasler on 31 Dec 2009 14:12 Alan Mackenzie writes: > sudo <command> executes <command> as though you were root. You _don't_ > get prompted for any password... You do if it is configured to ask. Sudo can require the user's password or the root password. > The functionality of these commands overlaps somewhat; > su -c <command> > does pretty much the same as sudo <command>. Only if sudo is configured to permit the user to run <command>. > sudo bash > does pretty much the same as su. Only if bash is on of the commands sudo is configured to allow the user to run. > The main use of sudo, as far as I can tell, is to create systems > without a root user (or without a root password). No it isn't. -- John Hasler jhasler(a)newsguy.com Dancing Horse Hill Elmwood, WI USA
From: Moe Trin on 31 Dec 2009 14:45 On Thu, 31 Dec 2009, in the Usenet newsgroup comp.os.linux.misc, in article <87my0z0zy6.fsf(a)thumper.dhh.gt.org>, John Hasler wrote: >It is the default configuration in Debian. Among others >You are, of course, free to change it in either Debian or Ubuntu. The problem in Ubuntu is the lack of a "usable" password for root. The account exists (as it must), but is disabled in /etc/shadow. >Florian writes: >> It's often used if you don't want to change the root password every >> time somebody leaves the admin team We always created separate users that had individual passwords other than their "user" accounts, and these special accounts had sudo levels without passwords. Use of 'su' to become these special users was logged, and 'sudo' differentiated what those special users could do. >> and of course it's the only sane thing if you want to give only >> partial sudo access to somebody. Depends - we used to use special group accounts for some things that depended on SUID root binaries. One of the first "rootly" things I got was the ability to mount tapes by changing group to 'tapemonkey' which required a password. The needed binaries were chmod 4750 and were owned by 'root:tapemonkey'. We do a similar trick now with the shutdown command - on workstations, /sbin/shutdown is owned by "root:slave" to allow members of that group to do the shutdown. On the servers, it's a different group. >Offhand, I can't think of a good reason to configure it to require >the root password. Sudo? Yeah, I can agree with that. Old guy
From: Florian Diesch on 31 Dec 2009 15:10 Alan Mackenzie <acm(a)muc.de> writes: > The main use of sudo, as far as I can tell, is to create systems without > a root user (or without a root password). Ubuntu does this. The theory > is that Ubuntu users aren't really to be trusted with a proper root > account because they'll likely foul things up, but they need a certain It's a common opinion that people shouldn't use the root account for their daily work. Ubuntu encourages this by making it hard to login as root and making it easy to get temporary root privileges > Ubuntu had put in it's own non-standard init program (for no good > reason), SysV init is a bit dated now and there have been many attempts to add missing features (like automated dependency checking for init scripts) or replace it in the last years. According to http://docs.fedoraproject.org/release-notes/f9/en_US/sn-System-Services.html#sn-Upstart Fedora switched to upstart, too. > and they had forgotten to document its configuration, init(8) says in the DESCRIPTION section ,---- | Processes managed by init are known as jobs and are defined by files in | the /etc/init directory. See init(5) for more details. `---- and init(5) indeed has the details about the configuration. Florian -- <http://www.florian-diesch.de/software/pdfrecycle/>
From: John Hasler on 31 Dec 2009 15:01 Old guy writes: > The problem in Ubuntu is the lack of a "usable" password for root. > The account exists (as it must), but is disabled in /etc/shadow. Anyone who cannot manage the trivial task of adding a root password is better off without one. -- John Hasler jhasler(a)newsguy.com Dancing Horse Hill Elmwood, WI USA
From: Florian Diesch on 31 Dec 2009 15:34
ibuprofin(a)painkiller.example.tld.invalid (Moe Trin) writes: > On Thu, 31 Dec 2009, in the Usenet newsgroup comp.os.linux.misc, in article > <87my0z0zy6.fsf(a)thumper.dhh.gt.org>, John Hasler wrote: > >>It is the default configuration in Debian. > > Among others > >>You are, of course, free to change it in either Debian or Ubuntu. > > The problem in Ubuntu is the lack of a "usable" password for root. > The account exists (as it must), but is disabled in /etc/shadow. > >>Florian writes: > >>> It's often used if you don't want to change the root password every >>> time somebody leaves the admin team > > We always created separate users that had individual passwords other > than their "user" accounts, and these special accounts had sudo levels > without passwords. Use of 'su' to become these special users was logged, > and 'sudo' differentiated what those special users could do. So to revoke access to one of those special accounts for some user you have to change that special account's password. If that happens frequently it can be quite annoying and - depending on the level bureaucracy involved - costly. Florian -- <http://www.florian-diesch.de/software/xxgamma/> |