[gentoo-dev] sudo vs su

[gentoo-dev] sudo vs su

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 475 bytes --]

All,

I am starting this thread because I don't understand why people are
using sudo and su together.  They are completely separate utilities that
do the same thing.  AFAIK, it should be either "sudo -i" or "su -", but
not "sudo su -" which I have seen quite often.  "sudo su -" is redundant
because "su -" does the same thing as "sudo -i".

"sudo -s", afaik, gives you a root shell but does not clear
out the environment first.

Am I completely missing something?

William


[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] sudo vs su

[Denis Dupeyron]

On Sun, Feb 28, 2010 at 12:20 PM, William Hubbs <williamh@gentoo.org> wrote:
> I am starting this thread because I don't understand why people are
> using sudo and su together.  They are completely separate utilities that
> do the same thing.  AFAIK, it should be either "sudo -i" or "su -", but
> not "sudo su -" which I have seen quite often.  "sudo su -" is redundant
> because "su -" does the same thing as "sudo -i".
>
> "sudo -s", afaik, gives you a root shell but does not clear
> out the environment first.
>
> Am I completely missing something?

Some systems are configured with a random root password. After a while
you get tired of doing 'sudo <command>' all the time and would like to
become root but you can't because you don't know the root password.
One way around that is 'sudo su -' which allows to become root using
your user password.

Denis.

Re: [gentoo-dev] sudo vs su

[Mike Auty]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hiya William,
	Sudo can be used to restrict access, so that only certain programs can
be run using it.  It asks for your password rather than the user you're
trying to login to (unlike su).  It also helps maintain a more accurate
audit trail (although I don't have details on exactly how it does that).
 Also su I believe only allows access to people in the wheel group.
	Therefore, you'll see people using them in conjunction (particularly
with systems like ubuntu that don't give you a root user), so that a
user can enter their own password and be restricted to a particular
program in this case su, and keep better audit logs all thanks to sudo.
 Whilst at the same time it still gives you complete access to the
system/login shell through su (a simpler and therefore presumably easier
to secure program).  So they can achieve the same results, but it is the
differences in the programs and the way they work that makes people
choose one over the other (or try and combine their best qualities).
	That's the best of my understanding, hope it helps?
	Mike  5:)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAkuKyisACgkQu7rWomwgFXp6KQCfRGn4b10R8onUVIXlaMgGJ/1o
gpQAn1wiKNrFzlHZLKozCgaJujSUkKH4
=55Bj
-----END PGP SIGNATURE-----

Re: [gentoo-dev] sudo vs su

[Graham Murray]

Denis Dupeyron <calchan@gentoo.org> writes:

> Some systems are configured with a random root password. After a while
> you get tired of doing 'sudo <command>' all the time and would like to
> become root but you can't because you don't know the root password.
> One way around that is 'sudo su -' which allows to become root using
> your user password.

When I had to do this on a (RHEL) system, I did not think of using 'sudo
su -', I used 'sudo bash'.

Re: [gentoo-dev] sudo vs su

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 1088 bytes --]

On Sun, Feb 28, 2010 at 12:52:01PM -0700, Denis Dupeyron wrote:
> Some systems are configured with a random root password. After a while
> you get tired of doing 'sudo <command>' all the time and would like to
> become root but you can't because you don't know the root password.
> One way around that is 'sudo su -' which allows to become root using
> your user password.
 
 Actually, by default, sudo command uses your user password (it does
 here anyway), and su - uses the root password.  afaik sudo can be
 configured to require the root password in the sudoers file, but it
 doesn't by default.  To test it, run this as a user:

 sudo -i

 That should ask for a password.  Try your user password there.  Once
 you authenticate, you will be put in a shell with root's environment.

 On the other hand, "su -" requires the root password and does the same
 thing as "sudo -i".

In affect, when you run "sudo su -" what you are doing is running sudo
and authenticating to it.  Then you are running "su -" as the command
you want sudo to run as root.

William


[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] sudo vs su

[Alec Warner]

On Sun, Feb 28, 2010 at 11:52 AM, Denis Dupeyron <calchan@gentoo.org> wrote:
> On Sun, Feb 28, 2010 at 12:20 PM, William Hubbs <williamh@gentoo.org> wrote:
>> I am starting this thread because I don't understand why people are
>> using sudo and su together.  They are completely separate utilities that
>> do the same thing.  AFAIK, it should be either "sudo -i" or "su -", but
>> not "sudo su -" which I have seen quite often.  "sudo su -" is redundant
>> because "su -" does the same thing as "sudo -i".
>>
>> "sudo -s", afaik, gives you a root shell but does not clear
>> out the environment first.
>>
>> Am I completely missing something?
>
> Some systems are configured with a random root password. After a while
> you get tired of doing 'sudo <command>' all the time and would like to
> become root but you can't because you don't know the root password.
> One way around that is 'sudo su -' which allows to become root using
> your user password.

Try "sudo -s" or "sudo -i" if you want sudo to clean your environment.

>
> Denis.
>
>

Re: [gentoo-dev] sudo vs su

[Alec Warner]

On Sun, Feb 28, 2010 at 11:55 AM, Mike Auty <ikelos@gentoo.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hiya William,
>        Sudo can be used to restrict access, so that only certain programs can
> be run using it.  It asks for your password rather than the user you're
> trying to login to (unlike su).  It also helps maintain a more accurate
> audit trail (although I don't have details on exactly how it does that).
>  Also su I believe only allows access to people in the wheel group.
>        Therefore, you'll see people using them in conjunction (particularly
> with systems like ubuntu that don't give you a root user), so that a
> user can enter their own password and be restricted to a particular
> program in this case su, and keep better audit logs all thanks to sudo.
>  Whilst at the same time it still gives you complete access to the
> system/login shell through su (a simpler and therefore presumably easier
> to secure program).  So they can achieve the same results, but it is the
> differences in the programs and the way they work that makes people
> choose one over the other (or try and combine their best qualities).

I think William's question is specific to invocations of 'sudo su -'
and that 'sudo -s' and 'sudo -i' provide similar results with 1 less
exec.  The security of sudo does not help here; both leave you with a
root shell and 0 auditing of commands in that shell by default (unless
root's shell is a audited shell; some places use them).  I think the
answer to William's question is 'not everyone knows about sudo -s or
sudo -i.'  I used Linux for years before sudo -s became normal usage
for me (sudo bash and sudo su before that) and I assume a number of
users are in a similar position.  They found something that works so
they used that to get root with their password.

>        That's the best of my understanding, hope it helps?
>        Mike  5:)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
>
> iEYEARECAAYFAkuKyisACgkQu7rWomwgFXp6KQCfRGn4b10R8onUVIXlaMgGJ/1o
> gpQAn1wiKNrFzlHZLKozCgaJujSUkKH4
> =55Bj
> -----END PGP SIGNATURE-----
>
>