Advantages of using sudo

sudo is being used in Linux distributions which are based on Debian like Ubuntu.

I find using sudo a bit tedious when I need to do something as a root user on our servers. It is clear, however, why it is safer for a Linux user having root priviliges.

The other day, I ran into the man page of sudo_root and found a very clear and concise description of the advantages (and disadvantages) of using sudo. 

root@ub1804_server_vm:/home/john# man sudo_root
sudo_root(8)                                              System Manager's Manual                                              sudo_root(8)

NAME
 sudo_root - How to run administrative commands
...

BENEFITS OF USING SUDO
 The benefits of leaving root disabled by default include the following:
 
 * Users do not have to remember an extra password, which they are likely to forget.
 
 * The installer is able to ask fewer questions.
 
 * It avoids the "I can do anything" interactive login by default - you will be prompted for a password before major changes can happen, which should make you think about the consequences of what you are doing.
 
 * Sudo adds a log entry of the command(s) run (in /var/log/auth.log).
 
 * Every  attacker trying to brute-force their way into your box will know it has an account named root and will try that first. What they do not know is what the usernames of your other users are.
 
 * Allows easy transfer for admin rights, in a short term or long term period, by adding and removing  users  from  the  sudo  group, while not compromising the root account.
 
 * sudo can be set up with a much more fine-grained security policy.
 
 * On systems with more than one administrator using sudo avoids sharing a password amongst them.
 
DOWNSIDES OF USING SUDO
 Although for desktops the benefits of using sudo are great, there are possible issues which need to be noted:
 
 * Redirecting the output of commands run with sudo can be confusing at first. For instance consider
 
     sudo ls > /root/somefile
 
   will not work since it is the shell that tries to write to that file. You can use
 
     ls | sudo tee /root/somefile
 
   to get the behaviour you want.
 
 * In a lot of office environments the ONLY local user on a system is root. All other users are imported using NSS techniques such as nss-ldap. To setup a workstation, or fix it, in the case of a network failure where nss-ldap is broken,  root  is  required.  This tends to leave the system unusable. An extra local user, or an enabled root password is needed here.

...

(For those of you who read man-pages via a terminal emulator, like I do: Yes, I did change the above formatting a bit so it would show up nicely on this page. :-) )

Strangely enough these pros and cons of sudo are not mentioned in the manpage of sudo itself.

  • content/2020052518585558.txt
  • Last modified: 2020/06/18 09:11