[sudo-users] Sudo su - question

Patrick Spinler spinler.patrick at mayo.edu
Tue Sep 6 11:02:45 EDT 2011 

In addition to the command logging someone else mentioned, there's a
couple of other useful effects:

A small but useful thing I find is that it's handy to be able to do both
privileged and non-privileged commands in the same session.

Say, for instance, I'm debugging or installing a vendor app, and I want
to know what in the heck the provided executable 'foobar' does.  There's
no man page, and it's not mentioned in the sparse vendor docs.

So, one thing to try is to just run the darn command, perhaps it has a
help output if I run it with -? or -h or -H or --help.  But do I really
want to do that as root?  Probably not.  Easy to run it unprived if I'm
running as myself, a little more tricky to do if i'm just running a root
shell.

Another thing, mostly for server admin in a large, audited environment,
is that sudo is a handy tool to help meet auditing requirements.  Should
HIPAA, FDA regulations, or Sarbanes–Oxley darken your doorstep, tools to
restrict access and audit the access used are invaluable tools to
satisfy the auditors.

Finally, there's the small but potentially useful mental flag "hey, this
is important, pay attention to this command".  I'll often type out the
privileged command sans the sudo prefix, examine it, then ctrl-A (or for
you poor deprived vi people :-), esc shift-I) back to the line start and
insert the sudo.

For what it's worth, the only time I really invoke a root shell is if I
have to cd down a protected directory path I can't get into with my
regular account, or if I'm in crashed system recovery mode from the
system console.

-- Pat

On 09/06/2011 05:10 AM, Mister V wrote:
> Hi Sudo group
> 
> This is a question to find the correct practice in regards to sudo usage.
> 
> I have recently been told sudo bash or sudo su - is bad practice and I
> should refrain from using this. I am quite insulted by this since if I am
> administrating a box or working on things that do require root I do not want
> to keep adding sudo to all my commands.
> 
> So the question is for those who have developed it and to try to work out if
> sudo command is actually the bad practice rather than sudo su -
> 
> I have come across this post which does point out the issues of running sudo
> command rather than sudoing as root.
> 
> http://weblog.leapster.org/archives/130-Using-sudo-non-interactively-for-administration-is-potentially-harmful..html
> 
> 
> I would guess there are arguments for and against this method. Could someone
> more clued up give me their opinion?
> 
> Thanks
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list