Purpose of sudo

is sudo really about security or just more of a "prevent myself from doing dumb shit by mistake" feature?

If it's the former, what are some of the things sudo protects your server from if say, a sudo account is compromised/hacked?

Comments

  • ehabehab Content Writer

    U KNOW EXACTLY whats its used for

    @dahartigan can also explain

  • @ehab lol I don't get why you keep posting this gif on all my posts but it's hilarious regardless haha

    Thanked by (1)ehab
  • ehabehab Content Writer

    @AndrewL64 said:
    @ehab lol I don't get why you keep posting this gif on all my posts but it's hilarious regardless haha

    many in real life tell me when i get stuck on something i don't stop. I need to let go.

    Oky, since you spoke .... maybe i should stop OR

    --- i will find something else ---

  • edited October 2022

    This discussion on StackExchange regarding sudo was quite an interesting read. Even one of the authors of sudo chimed in on this thread.

  • It exists solely to annoy me

    Thanked by (1)AndrewL64
  • Thanked by (1)MikeDVB
  • skorupionskorupion Services Provider

    It's for big companies.

    Like Administrators in windows, without Sudo privileges, you can't install any apps on a company computer.

    It's meant for enterprises with a lot of computers, who don't like Microsoft.

  • >disallow root login via ssh
    >allow passwordless sudo

    image

  • @jmgcaguicla said:
    >disallow root login via ssh
    >allow passwordless sudo

    image

    That's what I do(for some of my machines)! It still prevents random attacks targeting root. Also I disable password login via SSH.

  • Australians kept making cute remarks about "rooting," and we became annoyed with the whole thing. That's why we created it.

    Thanked by (1)dahartigan
  • @AndrewL64 said:
    is sudo really about security or just more of a "prevent myself from doing dumb shit by mistake" feature?

    If instead of always using root, it can help limit system-wide consequences. At least if you don't prefix the command with sudo by default. You can probably find many stories of people having avoid disaster, because they weren't using the root account by default (e.g., rm -rf). Simply not using root as much as possible, and forcing yourself to be very intentional when it comes to root-level tasks, is just a decent, safe way to manage an operating a system.

    It also allows you to give some privileges and root-level access to users, groups, and commands that you might want to provide without giving full root access. This isn't foolproof, but environments where users are reasonably trustworthy nearly 100% of the time, this is just a reasonable method of delegating limited access.

    One nice feature is that when invoked, a log message by default will be generated. If you're doing remote logging, this can be invaluable. Audit trails, practically always a useful thing to have.

    It may not stop determined attackers and I wouldn't rely on it for protecting the system if you have any other users on the system. It is what it is, a tool to help manage access in relatively trustworthy environments, a tool to limit root-level mistakes, and a convenient way to produce an audit trail for day-to-day root-level tasks.

  • @AndrewL64 said:
    is sudo really about security or just more of a "prevent myself from doing dumb shit by mistake" feature?

    I would say it's about preventing others from doing dumb shit, not yourself.
    Sudo should be used if you have a specific user that needs to run a specific command with specific privileges, but should not have access to anything else.
    For example if you have a guy that needs to make changes in DNS, you could assign this particular user the right to run 'rndc reload'. Besides that specific command, he is just a user with no privileges at all. If you have a web guy, give him 'apachectl reload' and nothing else. Etc.

    People that put "MY_USER ALL=(ALL) NOPASSWD: ALL" in the sudoers file have completely missed the idea and should not be using sudo at all. Actually, if you use "ALL" at all in the sudoers file, you are doing it wrong.

  • @rcy026 said:
    Actually, if you use "ALL" at all in the sudoers file, you are doing it wrong.

    I would say that's not exactly the case. I have it set up this way on my local machines like my laptop and desktop. For production systems, yes it's best to limit what commands one can run based on what duties they must perform, given your example. But if you're the only person on the machine anyways, I think it's still better than becoming root to begin with, given that you have to put in your password to proceed with a potentially dangerous/destructive command.

    Your example makes a lot of sense in organizations with split responsibilities between people, be they few or many. But if it's your own box, having the flexibility with the sudoers configuration is what makes the utility so great to use to begin with!

    Cheap dedis are my drug, and I'm too far gone to turn back.

  • its purpose is to annoy grownups.

    listen, like everything else related to security that you find repeated blindly on the internet, it has some valid uses but nobody even remembers what they are as we're too busy blindly copy/pasting security tips somebody else blindly copy/pasted to a shitty website.

    I ain’t reading all that, but I’m happy for you though. Or sorry that happened.

  • @zed said:
    its purpose is to annoy grownups.

    listen, like everything else related to security that you find repeated blindly on the internet, it has some valid uses but nobody even remembers what they are as we're too busy blindly copy/pasting security tips somebody else blindly copy/pasted to a shitty website.

    hey guy don't forget to change your ssh port.

    I ain’t reading all that, but I’m happy for you though. Or sorry that happened.

  • sudo was invented to make the linux administrator feel big when he exclaims his commands. For example:
    "I am the king of the system and i command a poweroff."
    sudo poweroff #!
    sudo echo 5 #!!
    etc.

  • edited October 2022

    @CamoYoshi said:

    @rcy026 said:
    Actually, if you use "ALL" at all in the sudoers file, you are doing it wrong.

    I would say that's not exactly the case. I have it set up this way on my local machines like my laptop and desktop. For production systems, yes it's best to limit what commands one can run based on what duties they must perform, given your example. But if you're the only person on the machine anyways, I think it's still better than becoming root to begin with, given that you have to put in your password to proceed with a potentially dangerous/destructive command.

    Your example makes a lot of sense in organizations with split responsibilities between people, be they few or many. But if it's your own box, having the flexibility with the sudoers configuration is what makes the utility so great to use to begin with!

    If it is your own box and you have root access anyway, you should just use "su -c command" instead of sudo.

  • @rcy026 said:

    @CamoYoshi said:

    @rcy026 said:
    Actually, if you use "ALL" at all in the sudoers file, you are doing it wrong.

    I would say that's not exactly the case. I have it set up this way on my local machines like my laptop and desktop. For production systems, yes it's best to limit what commands one can run based on what duties they must perform, given your example. But if you're the only person on the machine anyways, I think it's still better than becoming root to begin with, given that you have to put in your password to proceed with a potentially dangerous/destructive command.

    Your example makes a lot of sense in organizations with split responsibilities between people, be they few or many. But if it's your own box, having the flexibility with the sudoers configuration is what makes the utility so great to use to begin with!

    If it is your own box and you have root access anyway, you should just use "su -c command" instead of sudo.

    Sure, but the logging that comes from sudo is nice to have alongside - Logging on your own local box is just as important as on a server, in my opinion.

    Thanked by (1)mfs

    Cheap dedis are my drug, and I'm too far gone to turn back.

  • @ehab said: @dahartigan can also explain

    sudo does not work on women despite MANY attempts to have them show bobs and gene.

    Thanked by (1)ehab

    Get the best deal on your next VPS or Shared/Reseller hosting from RacknerdTracker.com - The original aff garden.

Sign In or Register to comment.