Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the 'To all who believe in the sudo myth' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
To all who believe in the sudo myth
Authored by: cran on Sep 29, '09 12:49:26AM

I am using sudo for a lot of purposes and I like it. It totally makes sense to me to use sudo (e. g. sudo -s) instead of logging in as or su'ing to root. But I want to make clear that the following myths are indeed myths:

  1. sudo inherently makes things "more secure".
  2. there is nothing you cannot do with sudo (when you would use root otherwise).

I won't talk about 1. because it would become an endless discussion. But I want to give an example for 2.:

  scp foo.conf user@server:/etc/foo.conf

This won't work if /etc/foo.conf on server is only writable for root. Sudo won't help here. Now some smart ass might come up with seemingly cool stuff like:

  tar cf - foo.conf | ssh user@server '(cd /etc/ && sudo tar xpf -)'

This just sucks and has great potential for mistakes. How much easier is this:

  scp foo.conf root@server:/etc/foo.conf

So, to all people who say enabling root is, by itself, dangerous: Stop babbling and use SSH keys with very good passwords or at least very good passwords. And use sudo where appropriate.

[ Reply to This | # ]
To all who believe in the sudo myth
Authored by: babbage on Sep 30, '09 12:46:29PM

You let people log in as root via ssh ?

You are a very brave person.

And I'm glad I don't work with you. :-)



[ Reply to This | # ]
To all who believe in the sudo myth
Authored by: corienti on Sep 30, '09 02:46:07PM

I let a select set of people - that is, the unix team - ssh in as root.

Noone else can, naturally.

In internet-facing interfaces, I also use source IP filtering, and root can only login using ssh key, not via password.
And I also have the firewall configured to block IPs retrying connections too rapidly.

SSHing as root is quite as safe as anything else as long as you restrict it to the right people and put the appropriate security measures around it.

[ Reply to This | # ]