How is sudo safer than directly using su if the user is granted access to all commands?
So I've been reading into the differences between using su
and sudo
, and everyone seems to be in agreement that the sudo
approach is safer than allowing access to the root account itself. They say that with the root account you could break your entire system with just a single command. This I understand. BUT the initial user created on the system also has access to all commands using sudo. This I can find out by running su -l
. If this is the case, then I can simply run sudo <game-ending command>
to ruin my system. So how is this approach better or safer then allowing me direct access to the super user account? I can run all of the same commands...
Is it because using sudo
on the command line I am explicitly telling the computer I think I know what I am doing? Do they think people will forget they are under the super user account unless they explicitly say so?
People also state that if the system were compromised and entered by someone foreign, being under the root account would allow them to do terrible things to my system. But it seems to me if they already have access to my account, and know my password, they can do these same terrible things by using sudo and entering my password since they don't even need to know the super user's password. What am I not getting here?
Solution 1:
Personally I do not necessarily consider it safer and most of the benefits (of sudo) are on a multi user system. On a single user system it probably is a wash.
The benefits are (in no particular order):
- sudo has superior logging. sudo logs each command.
- sudo allows finer grain control. One can configure sudo to give root access to some but not all commands.
- sudo uses the login password. This protects having to give the root password (as you would with su) and is related to the point above regarding finer grained control / access to root.
- In Ubuntu, by default, the root account is locked. This deters crackers as to log in (remote via say ssh) they have to guess both a user name and a password. If the root account is not locked, as is the case with su, then they only need to crack root's password.
-
sudo -i
is probably the best method to isolate root's environmental variables from your user. This comes up from time to time but is moderately esoteric. See https://help.ubuntu.com/community/RootSudo#Special_notes_on_sudo_and_shells - some people feel that having to type sudo before every command they wish to run as root or having sudo time out allows them to stop and think more clearly and reduces their errors or running erroneous commands. If doing so helps you that would be a benefit as well.
There are probably more benefits , but, those are the major ones, IMHO.
See also - https://help.ubuntu.com/community/RootSudo
To try to answer some of your other thoughts:
- There is nothing about either su or sudo that prevents you running malicious code as long as you know the password. Neither is safer or better.
- Crackers can obtain shell access via a number of methods. When you see "run arbitrary code" in a security notice - https://usn.ubuntu.com/usn/ - that means a cracker can run /bin/bash or any other code. Thus a cracker, via various exploits, can obtain shell access without knowing your login name or password. Neither sudo or su helps with this.
- If a cracker has shell access they can do a lot of damage without root access. For example the ransomware that encrypts all your personal data.
- If a cracker has shell access to an account with root access, via either su or sudo, the cracker can obtain root access via a number of methods beyond the scope of this discussion. Neither sudo or su is superior in this respect either.
So while you have observed problems or flaws with sudo, su has the exact same vulnerabilities and su is not superior to sudo in those aspects, IMHO
Solution 2:
Imagine you have 20 minutes to do something complex. You’re a bit hungover and you have to rush. “Let’s use su” you say. “It’ll save some time” is your reasoning.
By accident you type
rm -rf /*
instead of
rm -rf ./*
Your system is now bricking itself and you have 10 minutes until your deadline.
If you explicitly choose when you need root, you can minimise the chance of this happening. Root might not be needed for rm -r ./*
so why use it? Why take the risk?
That’s what “safety” means here. Minimising the risk of users (all users, not just beginners) making a fatal mistake.
Of course, this is an extreme example that shouldn’t be allowed to happen in a production environment (I guarantee it has happened in a prod environment).
Security wise there’s some stuff that sudo is better for too. As @Panther says - logging, restrictions, root password is SPOF, etc.)
Solution 3:
I want to add a bit of historical perspective to the other answers. Unfortunately, I do not have any sources ready except for my own memories of Usenet discussions and magazine articles.
Some time ago, in the 1990s, distributions were making it easier to install Linux on your own hardware, even with not much computer knowledge.¹ Thus, Linux started to attract more and more people that surprisingly had not previously been drilled as system administrators on some UN*X dialect. Instead, many were used to (single user) systems like Windows 95/98. And they learned that most Linux system administration tasks made it necessary to work under that strange "root" account.
Thus, some users just logged in as root and used that account for all their daily work. Why should they have to type su
and the root password again and again or login into a new tty just for some admin commands? But using root for everything is of course not a good idea, as you could do a lot more harm to your system with some unmindful command in the wrong place. This even led some distro (was it SuSE?) to modify the desktop background for the root user to display a big warning that you should use that account only for admin tasks.
So, the Ubuntu way with sudo
has some advantages (in addition to those already listed by Panther).
- You cannot directly login to the root account.² :-)
- The installation process will not ask you for an (additional) root password, you need only one (your user's) password.
-
sudo
caches your credentials, so for multiple admin commands in sequence, you only have to enter your password once (in contrast tosu
). This reduces the urge to just open a shell or a new terminal with root privileges. - And it makes it easier to tell users online and in documentation which commands they have to enter as admin and which not.³
¹ And for those not daring to do it themselves, there were install parties.
² But you can use a command like sudo -i
or sudo su - root
to get a root shell after you logged in as a normal user.
³ But you know of course that you should not simply copy&paste commands from the Internet, right?
Solution 4:
It has been possible to disable root login through ssh for decades. The Ubuntu way of disabling the root account and making people sudo everything is nothing more than a gimmick. Just "sudo -s" and you have a root shell. Disable root login through ssh and leave it there.