Why sudo is better than su when working in a team
I read an article today which was critical of sudo.
I work in an environment where I have to remember multiple passwords for many different systems and I think the author has missed a few critical points. The author mentions at the end that there are reasons for enabling/disabling root access, but doesn’t really cover what they are. So I thought I would…
However, before I start, there are a few prerequisites to my argument;
- Your own personal password is the most valuable password you should have - it needs to be secure and you should never give it to anyone.
- A password chosen by other people is nearly impossible to remember - from experience I know that is very difficult to remember root passwords for many different machines. The better chosen the password is (good mix of case, symbols and numbers), the more difficult it is to memorise. Guess what the user is going to do to remember them (hint: check for post-it notes). My memory is not particularly poor either!
Right - back to the article;
Second, you get a log entry in /var/log/system.log every time sudo is used showing you who used it and what command was executed. These appear good enough reasons to endure the slight inconvenience of using sudo.
Here’s one of the major benefits of sudo - accountability. You can use sudo to work out who became root. In the case of a break in you can see which user account is compromised and if you want to audit commands, you can see who became root. Also, as the author mentions, you can restrict users to a specific group of commands, you get an improved audit trail compared to su. I’m unsure what the inconvenience of using sudo is (maybe because to open a root shell you have to use sudo -s instead of su).
Every other command after starting a root shell does NOT get logged at all. All you can tell from this is when someone started the root shell. Whatever happened after that is a mystery.
The same is true of users logging in directly onto a console or using su. Using your shells logging facility is no good for auditing because it can easily deleted or even forged. The correct way to do this is to use process accounting, regardless of whether you are using sudo or su.
The most obvious change is to require a different password than your user password to authenticate.
“A password chosen by other people is nearly impossible to remember”. When working as part of a team, you rarely get to choose root passwords and remembering other people’s secure root passwords is very hard. Remembering your own very secure password is much easier. If you need a layer of protection better than just your password, then you need to move to two or three factor authentication, not more passwords.
