- login
- BSD-derived systems do not by default allow root logins from "insecure" terminals, which includes all network connections
- Most System V-ish systems also have this feature these days
- Disadvantages
- You have no record of what was done as root
- Though shell history might provide this
- You have no record of who logged in as root
- su
- /bin/su better than su
- It's a good idea to use the path for commands you run as root, to prevent potential problems from a trojan horse program
- Advantages
- You know who became root (because su logs to the syslog facility each time it's invoked
- Disadvantages
- You still have no log of what was done as root
- It's a good idea to use the full path for su, rather than relying on the shell's search mechanism
- Prevents the possibility of a trojan 'su' somewhere being invoked
- On BSD-derived systems, only users in group "wheel" can su to root
- sudo
- A "limited su"
- Allows only specified commands to be run
- Advantages
- Logs all commands run
- Can be faster than logging in or using su if you need to do a single task
- Documents who has what privileges
- Uses the user's own password rather than the root password
- Disadvantages
- Can be a real pain if you're doing a lot of things as root
- User passwords are may be just as sensitive as the root password
- Many commands can start up a shell (e.g. most text editors & mail programs). If these commands are allowed, you have essentially made that user account into a root account.
- Configurable
- Can allow certain users to run only certain commands
- Can allow certain users to run any command BUT certain commands
- Less secure
- Any time you give "anything but..." permissions, you leave an opening for a "dangerous" option to show up in the "anything" group.
- Example configuration (p. 42 in the book):
# Define aliases for machines in CS & Physics departments
Host_Alias CS = tigger, anchor, piper, moet, sigi
Host_Aias PHYSICS = eprince, pprince, icarus
# Define collections of commands
Cmnd_Alias DUMP = /usr/sbin/dump, /usr/sbin/restore
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/sbin/lprm
Cmnd_Alias SHELLS = /bin/sh, /bin/tcsh/, /bin/csh
# Permissions
mark, ed PHYSICS = ALL
herb CS = /usr/local/bin/tcpdump : PHYSICS = (operator) DUMP
lynda ALL = (ALL) ALL, !SHELLS
%wheel ALL, !PHYSICS = NOPASSWD: PRINTING
- One thing to watch out for with sudo is that many commands allow a "shell escape." If you allow one of those commands (vi is an example), you are really allowing any command on the system.
- ssh (Secure Shell -- not mentioned in this chapter)
- Is similar to login, but...
- Encrypts network connections
- Sets up X-window system forwarding
- May bypass "no root login" prohibitions
- This may be good, may be bad