On 25/03/13 00:33, Claudio Freire wrote:
On Sun, Mar 24, 2013 at 7:55 PM, Rajko
wrote: TBH I've always considered "sudo su" rather common and standard.
That could be the case in some other distro, but within openSUSE you will find often recommendations to use 'su' and 'su -' and not 'sudo'. Details are buried in the discussions stored in mail list archives, but I would recall if there was any significant chatter about changes regarding this.
Well, I'd consider any recommendation to not use sudo entirely rather ill-suited for most applications where sudo is desired.
Ie: when you want to give sudo powers to users without giving them the root password. Which I'd consider an important use case.
I thought the recommendation was against the specific "sudo su" idiom.
One of the reasons why sudo is also encouraged is logging. On a shared computer, it is relatively trivial to log every command executed via sudo and then aggregate that information via e.g. logwatch or logcheck or any number of monitoring solutions. For this reason, it might be advisable to actually specifically disallow sudo su, since that circumvents said measures, basically using sudo once to gain a root shell, in which you can go crazy. This is sample output from a Debian 7 box: Mar 25 11:33:24 ares su[8263]: pam_wheel(su:auth): Ignoring access request 'user' for 'root' Mar 25 11:33:29 ares su[8263]: Successful su for root by user Mar 25 11:33:29 ares su[8263]: + /dev/pts/0 user:root Mar 25 11:33:29 ares su[8263]: pam_unix(su:session): session opened for user root by user(uid=1000) Mar 25 11:33:37 ares su[8263]: pam_unix(su:session): session closed for user root Mar 25 11:33:50 ares sudo: user : TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/usr/bin/less /var/log/auth.log Mar 25 11:33:50 ares sudo: pam_unix(sudo:session): session opened for user root by user(uid=0) The commands executed within the root shell are not logged, however, every single command executed via sudo is. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org