31 Aug
2020
31 Aug
'20
1:44 p.m.
On Sun, 30 Aug 2020 15:46:58 -0700
"William Morder via trinity-users"
<trinity-users(a)lists.pearsoncomputing.net> wrote:
On Sunday 30 August 2020 11:19:03 Slávek Banko wrote:
It isn't really all that complex. There are two reasons (well, three, really,
but the third is distro-specific) why none of my systems have sudo installed:
First of all, su is the older default piece of software that is installed on every
Linux system. sudo is an add-on. Every extra piece of software you have
installed increases the complexity of your system and the number of bugs you
have sloshing around. All other things being equal, not installing software
you don't need reduces your system's attack surface. (You'll run into a lot
of
Gentoo users who think this is important.) Having fewer layers in the way can
also make problems easier to troubleshoot.
Secondly, most mainstream distros configure sudo to use user passwords, and
*don't* place any other restrictions on what user accounts can do through
sudo. This means that an attacker only has to break one password—the one
on your user account—to obtain full root access. On an su-only system, the
attacker has to break *two* passwords—your user's, and root's. It isn't a
*lot* of added security, but every little bit helps.
It's the usual security vs. inconvenience tradeoff, and in this case, I admit the
stakes are pretty small. My distro puts its thumb on the scales by requiring me
to install sudo explicitly rather than having it present by default—less work to
leave it off if there's no compelling argument for having it.
I admit that I usually leave a Konsole window that's su'ed to root lying around
permanently, rather than su'ing every time I need to enter a command, but
no one else with physical access to my computers has any idea of how to
use a Linux system, so I'm not very worried. Your situation may be different
there.
E. Liddell
---------------------------------------------------------------------
To unsubscribe, e-mail: trinity-users-unsubscribe(a)lists.pearsoncomputing.net
For additional commands, e-mail: trinity-users-help(a)lists.pearsoncomputing.net
Read list messages on the web archive: http://trinity-users.pearsoncomputing.net/
Please remember not to top-post:
http://trinity.pearsoncomputing.net/mailing_lists/#top-posting
On Saturday 29 of August 2020 13:11:01 William
Morder via trinity-users
Sorry to take so long to respond. I was AFK and lost in the physical world,
and dealing with the problems of living in meatspace.
wrote:
The mysterious E (for Enigmatic) raised the issue of su against sudo; and I've
also heard Nik mention that su is better for the single home user, which is
myself. Until now, sudo + tdesudo has always done the trick for me, but if it
is less secure, and my system will work, then at least I ought to make myself
aware of the distinctions. I've tried out su, but so far I don't see any
benefit, and only hear about the perils of sudo.
It is possible that I can change my habits, so I will look into su. But if
anybody can explain why su or why *not* sudo, I would be grateful, as the
technical descriptions I can find online, or in my Linux guides, do not guide
me toward any decisive points, and I see no reason to change what works.
However, I will suppose that E knows something that I don't on this point, so
I am considering how to implement such a change in my working habits. Okay, so I solved part of the sudoers list / root
password problem.
Turns out that I had not downloaded quite all the sudo packages,
particularly some of the tde-trinity packages, or kde-trinity transition
packages, or something in that lot.
If you do not set a root password and use sudo, then the tdesudo-trinity
package is appropriate to ensure that all tdesu calls are actually tdesudo
=> instead of su and root passwords will use sudo and the user's password.