[sudo-users] How does sudo improve security.

Ladner, Eric (Eric.Ladner) Eric.Ladner at chevrontexaco.com
Thu Apr 7 11:40:28 EDT 2005


Generally, it increases security by creating a log of who did what and
reduces the number of people that have to have root access to the box to
execute specific commands.

If somebody anonymously does something as root, it's harder to point a
finger.  If there's a log of somebody executing a command at a
particular time, then that alone increases security by providing an
audit trail.

This assumes that users don't have access to a shell in general (and
even then, you could use sudosh to track that). 

"Normal" users don't have sudoers entries, and even if they do, normal
users should have a very tight and targeted set of commands that they
can execute, not generic "sudo to root" capability.

Sudo does things like this:  I could assign you the ability, as root, to
start a specific command to kick off backups or something.  I'm only
allowing you to execute that ONE command as root.  If I wasn't using
sudo, I'd have to give you the root password or spend time writing a
suid wrapper for the command.  

Eric Ladner, Systems Analyst 
RFMS IT Support

-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of Pico Geyer
Sent: Thursday, April 07, 2005 10:33 AM
To: sudo-users at sudo.ws
Subject: [sudo-users] How does sudo improve security.

Hi all.

I've been reading about sudo, and many state that sudo improves
security. 
I'm just wondering how it does this?
I'f users can use sudo to do things that they were normally not allowed
to do, does this not decrease security?

And if a normal user gets hacked, then the hacker will now have
super-user privileges with out even knowing the root password.

If I have a big misunderstanding of the way sudo works, please help me
to correct that.

Thanks in advance.
Pico 


____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws> For list information,
options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users






More information about the sudo-users mailing list