On Aug 21, 2006, at 10:45 PM, Ansgar -59cobalt- Wiechers wrote:
Huh? What difference exactly do you see between "sudo -s" and
"sudo su"?
Either one gives you a Shell with (E)UID 0.
while both end up with a root shell, the fundamental way in which
each does its work makes a significant difference.
You've done a good job explaining sudo's benefits, but that doesn't
address what the real difference between "sudo -s" and "sudo su" is.
- sudo doesn't require giving every root-empowered user the actual
root password.
"sudo -s" and "sudo su" both don't require using the root password.
- sudo doesn't even require enabling the root account.
"sudo -s" and "sudo su" both don't require enabling the root account.
- sudo uses the users personal password. as such, if you fire an
employee you can selectively reject his sudo access without having
to pass out a new root password to the department.
Same for "sudo -s" and "sudo su"...
- sudo logs more thoroughly (or used to, at least; i haven't used
'su' in ages), allowing responsible parties better paper trails
when hunting down malicious or inept users.
"sudo su" and "sudo -s" both have the same level of logging, namely,
nothing after the shell is initiated.
- sudo (by default) works one-command-at-a-time, making the user
think a little harder before issuing root commands, hopefully
avoiding possibly fatal errors.
Both "sudo -s" and "sudo su" give you a root shell...
- since sudo doesn't (by default) generate an actual shell, you
can't easily drop into it and walk away, allowing a potential
security breach.
So while I agree you've done a good job describing why sudo is a good
thing in general, the original question was "what's the difference
between 'sudo -s' and 'sudo su'", that is, why do people say it's
"bad" to use "sudo su" when it does the exact same functional and
practical thing as "sudo -s"?
Answer: there is no difference. The only real difference, on a
default OS X installation (and, frankly, almost anywhere else you can
do "sudo -s" or "sudo su") is that "sudo -s" uses the SHELL
environment variable when it gives you the root shell, whereas "sudo
su" would use root's shell. You can also sudo directly into shells,
e.g., "sudo tcsh". The end result is that you have a root shell, and
though I'm sure others will argue, there really is no practical
difference between the end results of either "sudo -s" or "sudo su".
(To reiterate, since I've seen this mentioned several times in the
past as a rebuttal: using "sudo su" DOES NOT require the root account
to be enabled/assigned a password! So that is NOT a reason to not use
it. The only reasons people end up giving for not using "sudo su" (or
using "sudo -s" instead) seem to be dogmatic ones. One legitimate
reason is that if you're used to a particular shell, or you are
running commands dependent on the shell, "sudo -s" will keep the
shell currently in use. If you end up in another shell, commands you
run that are dependent upon the shell could have unexpected results,
or worse, get interpreted in a way you didn't intend. However, as
long as you're aware of what you're doing, there is nothing wrong
with using "sudo su".)
(Now, some people say using EITHER is a "bad thing". I disagree, and
this is one of those almost-religious issues. If I'm going to do a
bunch of stuff as root on a personal system, I give myself a root
shell. I am cognizant enough of the fact I'm "root" to (hopefully)
not screw up. Now, if I do this in a logged or audited environment, I
prefix everything with sudo, because use of a root shell is either
disallowed via conventional means (depending on the system), or any
use of a root shell without justification could be called into
question.)
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
