should use sudo or just su root in server management?
Which approach is better?
For desktop usage, it seems that sudo is better since:
- I can have a more consistent history as a normal user
- Don't need to remember two passwords, which is especially true when I don't do administrative stuff regularly.
- No need to create an additional root account on installation.
But about in server management?
In server usually you already have a root account created and you are likely to do administrative stuff often. So the advantages of sudo seem no longer hold.
What's more, it's easy to configure su on command line in most distributions, just add the user to the wheel group. (You can even pass -G wheel
when useradd
ing.) Thus configuring su can be easily automated into shell scripts.
But for sudo? You need to first add the user, than run visudo
interactively. This is bad since you cannot automated it into shell scripts.
(Well, you can. For example,
echo '%wheel ALL=(ALL) ALL' >> /tmp/sudoers.tmp
cp /etc/sudoers /etc/sudoers.old
visudo -c -f /tmp/sudoers.tmp && mv /tmp/sudoers.tmp /etc/sudoers
But at least it is not that easy.)
So what's your opinions? For a server environment, which will you prefer, sudo or su root?
The root account is necessary on servers for sure, but I prefer granting sudo rights, especially when there are several users on the machine, and this for several reasons:
- I don't use sudo only to grant ALL rights for ALL commands, but also to grant specific rights as a specific user to specific commands.
- By assigning users to functional groups, I can manage their rights with these groups in sudoers instead of managing users individually.
- sudo accesses are logged in auth.log by default, including which users used sudo at what time.
- sudo allows to manage the configuration for several machines with one file.
- each user keeps their own password, so there is no need to change the root password when a user leaves.
As for managing it with scripts, new versions of sudo support inclusions, but I prefer to use puppet and set classes that concatenate sudoers contents.
Puppet can also be associated with Augeas to manage your sudoers file.
You seem to be making things hard on yourself (when it comes to managing /etc/sudoers). A simple
echo '%wheel ALL=(ALL) ALL' >> /etc/sudoers
would suffice. All visudo does is lock the file against concurrent edits and ensure that the file still parses correctly.