[sclug] su/sudo

[Will Dickson]

Spiros Kapetanakis wrote:
> 
> AFAIK, there is only one (potentially crucial) difference between
> using sudo and su. If you su into the root account and run a process
> that requires you reading a config file, it will be read from root's
> home directory /root. If, on the other hand, you "sudo run_command",
> the config file will be read from the user's home dir /home/my_user.
> 
> I believe that there is a way to get sudo to read from root's home dir
> (could it be -i ?) but I'm not sure. When in doubt, I just use su...

On my (k)ubuntu box, FWIW:

wrd at glaurung:~$ echo $HOME
/home/wrd
wrd at glaurung:~$ sudo -i
Password:
root at glaurung:~# echo $HOME
/root
root at glaurung:~#

What Alex said about using sudo to delegate partial root powers to 
separate roles, although that's a somewhat different issue. Presumably 
this would also allow better auditing in a paranoid setup - when 
something nasty happens, and is logged, you could tell which wheel dunnit.

IIRC one of the claimed benefits is that it makes certain attacks harder 
- eg. instead of using some password cracker against a known account 
(root) you now have to guess which accounts are sudoers, so the problem 
is harder. However, this is security through obscurity, and we all know 
about *that*.

I think it probably is incrementally better, esp. for newbies: you only 
have to remember one password, not two (so there's more chance that the 
newbie will use a reasonably strong password), and there's less 
temptation to work as root for non-sysadmin work, like you do on 
Wind'ohs. By the time the newbie finds out about the -i option, the 
chances are that s/h/i will be well on h/h/i way to not being a newbie 
any more.

Will.