On Sun, Feb 28, 2010 at 11:55 AM, Mike Auty <firstname.lastname@example.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Hiya William,
> * * * *Sudo can be used to restrict access, so that only certain programs can
> be run using it. *It asks for your password rather than the user you're
> trying to login to (unlike su). *It also helps maintain a more accurate
> audit trail (although I don't have details on exactly how it does that).
> *Also su I believe only allows access to people in the wheel group.
> * * * *Therefore, you'll see people using them in conjunction (particularly
> with systems like ubuntu that don't give you a root user), so that a
> user can enter their own password and be restricted to a particular
> program in this case su, and keep better audit logs all thanks to sudo.
> *Whilst at the same time it still gives you complete access to the
> system/login shell through su (a simpler and therefore presumably easier
> to secure program). *So they can achieve the same results, but it is the
> differences in the programs and the way they work that makes people
> choose one over the other (or try and combine their best qualities).
I think William's question is specific to invocations of 'sudo su -'
and that 'sudo -s' and 'sudo -i' provide similar results with 1 less
exec. The security of sudo does not help here; both leave you with a
root shell and 0 auditing of commands in that shell by default (unless
root's shell is a audited shell; some places use them). I think the
answer to William's question is 'not everyone knows about sudo -s or
sudo -i.' I used Linux for years before sudo -s became normal usage
for me (sudo bash and sudo su before that) and I assume a number of
users are in a similar position. They found something that works so
they used that to get root with their password.
> * * * *That's the best of my understanding, hope it helps?
> * * * *Mike *5
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> iEYEARECAAYFAkuKyisACgkQu7rWomwgFXp6KQCfRGn4b10R8o nUVIXlaMgGJ/1o
> -----END PGP SIGNATURE-----