[sudo-users] How does sudo improve security.

[David Thiel]

On Sat, Apr 09, 2005 at 04:47:25PM +1000, mlh at zip.com.au wrote:
> At a /minimum/, you should allow everyone to sudo -s (i.e. start
> a shell as root) and change the root password to something only
> you know.  At least that way you will log when they use the
> feature.

This way though, you're decreasing the security of the system somewhat
by making it so if a user account is comprimised by an attacker, the
root account is as well. This is the tradeoff for sudo's slightly more
verbose logging. Certainly, there are other ways to gain root access
comprimising a user account with root access and trojaning it, but sudo
-s gets the job done faster.

It may sound silly, but one thing I've wanted from sudo is the ability
to actually prompt for the root password(or some other password, for
that matter), so at least in situations where you grant unrestricted
sudo access, a user would have to know two passwords instead of one. It
would be good for sudo on single-user systems and such, for those of us
that use it in some situations just to execute as little as root as 
possible.

In summary: 

sudo -s + user password comprimise = instant root
su + user password comprimise = eventual root

Thoughts?