On Aug 21, 2006, at 10:45 PM, Ansgar -59cobalt- Wiechers wrote:
Huh? What difference exactly do you see between "sudo -s" and "sudo
su"?
Either one gives you a Shell with (E)UID 0.
while both end up with a root shell, the fundamental way in which
each does its work makes a significant difference.
- sudo doesn't require giving every root-empowered user the actual
root password.
- sudo doesn't even require enabling the root account.
- sudo uses the users personal password. as such, if you fire an
employee you can selectively reject his sudo access without having to
pass out a new root password to the department.
- sudo logs more thoroughly (or used to, at least; i haven't used
'su' in ages), allowing responsible parties better paper trails when
hunting down malicious or inept users.
- sudo (by default) works one-command-at-a-time, making the user
think a little harder before issuing root commands, hopefully
avoiding possibly fatal errors.
- since sudo doesn't (by default) generate an actual shell, you can't
easily drop into it and walk away, allowing a potential security breach.
I strongly caution my users against using the -s flag to sudo,
actually, as the only time an actual shell is needed is when you'll
be running commands that rely on any oddball environment variables
that may not be available or applicable (or may need to be changed
during the session).
$ sudo /usr/sbin/foo bar
has far fewer security implications as:
$ sudo -s
# foo bar
#
...but accomplishes the exact same thing.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
