Simple suggestion for experts dealing with people new to Linux

[MrCloudDenton]

@palladin9479

I've always thought the all or nothing approach of sudo was quite extreme, I'm the only user on my PC so I haven't set up permissions like I would in a Windows work environment I understand Windows permissions well (file/folder permissions, group policy, active directory, administration tools, user/group permissions) much more so than Linux.

Do you have a link explaining su - root? Google is not being helpful, I've heard sudo echo can be used in similar fashion?

 

[MrCloudDenton]

http://www.linfo.org/su.html - This is helpful

It seems to be "su root" not "su - root".

So if I type "su root" do I need to turn off root privileges somehow or just close terminal? What if I'm doing it on a system without a window manager at all?

 

[palladin9479]

Do you have a link explaining su - root? Google is not being helpful, I've heard sudo echo can be used in similar fashion?

su is the Unix/Linux command to assume another users security profile. Users on a POSIX system have both primary user id (uid) and a group id (gid) that defines the basic access they have. Further they can have multiple secondary group id's that enable additional access.

So say your logged in as user bob with uid 10001 (non-privledged uid's should be 10000+) and group id of bob guid (10001), this combination pretty much restricts him to his home folder. Now if he wants to run a command that's owned by bin:bin (2:2) with a file permission of 550. Now to do this he can assume root by running the su command (su root). This will run a new shell with 0:0 as the permissions, it's modern equivalent of running "sudo bash". The "-" part tells the OS to run the new accounts login scripts and assume the full environment vs just switching your uid/gid and keeping your own environment. That part is important as specialized user accounts will often have specific environment variables for them, Oracle RDBMS requires "su - oracle" in order to do administrative tasks. You could also do this by putting bob's user account into the bin group, he would then have semi-elevated privileges and run it as 10001:2.

Now if this was a one and done task, something he'll do real quick and never do again, then sudo is fine. But if this is something bob's going to need to do often, like compile software or edit some file, then the better way to do it would be to configure a RBAC profile that authorizes the user bob access to the specific commands as uid/gui 2:2, or whatever is needed, instead of running everything as 0:0. Bob would then assume that profile by typing "su <profile name>".

Anyhow my general distaste of the sudo command is how it's being used as a one-stop-shop / all-in-one solution for doing any form of administration on a system.

How exactly to do it largely depends on how your distribution implemented it. It's just a bunch of text files under /etc but editing them by hand can be convoluted and often the distribution provides a policy & profile editor.

:Edit:

So if I type "su root" do I need to turn off root privileges somehow or just close terminal? What if I'm doing it on a system without a window manager at all?

Those privileges only exist within that shell session (bash / ksh / csh / sh / ect..). The moment that session is finished (exit) they go away. You should only ever su to root when you have a lot of stuff to type in and know exactly what your doing, otherwise setup RBAC for common stuff.

 

[randomizer]

That is why they created Role Based Access Control (RBAC). You can set it up so that only specific users are allowed to run specific commands at specific privilege levels, rather then running everything as uid/gid 0. Using sudo has been a lazy mans way of doing administrative tasks.

For a single user (or rather, single human user) system this is pretty overkill, and you'll spend more time setting up the system than using it. It makes plenty of sense in a multiple user environment though.

 

[Ijack]

I think you guys are missing the important point that sudo can - and should - be configured to allow root access only on certain commands depending upon the person using it. And it doesn't require that you know the root password. (Unfortunately there's no simple GUI - AFAIK- to configure it .) Also, used properly, it helps guard against mistakes as you have to make the conscious decision to run each command as root. It is all too easy to forget momentarily who you are logged in as.

Sudo is a great command, far more versatile and safer than su. If it doesn't work for you on your system then that's because your system isn't properly configured.

 

[palladin9479]

I think you guys are missing the important point that sudo can - and should - be configured to allow root access only on certain commands depending upon the person using it. And it doesn't require that you know the root password. (Unfortunately there's no simple GUI - AFAIK- to configure it .) Also, used properly, it helps guard against mistakes as you have to make the conscious decision to run each command as root. It is all too easy to forget momentarily who you are logged in as.

Sudo is a great command, far more versatile and safer than su. If it doesn't work for you on your system then that's because your system isn't properly configured.

You just described RBAC by the way. Instead of restricting the individual commands your restricting sudo, same process same result. There is a really simple implementation of RBAC built into sudo, it's limited but it can get the job done. We aren't talking about that, but rather people using 20+ lines of sudo blah blah for their systems. Sudo is great for infrequently running one command to quickly do something. Relying on it as the default method of administration for everything is just as bad as logging in as root. Sudo doesn't provide you with any more protection then su and considerably less once you introduce profiles and limited-privileged accounts.

 

[Ijack]

If you think that sudo provides no more protection than su then I think you misunderstand it. I realize that there are other ways of managing security - which may or may not be easier to configure than sudo - but I am just pointing out that there seems to be some uninformed criticism here of a widely available, easily configured security system. Sudo is a very useful tool when used properly.

 

[palladin9479]

If you think that sudo provides no more protection than su then I think you misunderstand it. I realize that there are other ways of managing security - which may or may not be easier to configure than sudo - but I am just pointing out that there seems to be some uninformed criticism here of a widely available, easily configured security system. Sudo is a very useful tool when used properly.

And there is the crux of the disagreement. Sudo isn't being used properly, it's being used as a shortcut for running a ton of commands as uid 0 gid 0. And no it doesn't provide any more protection then su, it does the exact same thing, assumes 0:0 rights and executes an arbitrary command as them. Ubuntu forces it as the primary way to do stuff, or rather they disabled the root account so that you could only do stuff as sudo. That resulted in people abusing sudo in the same way they would login as root, heck you can even do sudo bash to bypass the whole thing. Sudo bash, type in my own non-elevated password then passwd root and change the root password to whatever I want. It provided zero protection.

Go read my first statement, I recommended people implement RBAC as the default security posture if the users (including single user systems) need to routinely execute commands with elevated permissions. I also recommend people learn exactly what permissions are needed and use those for execution instead of defaulting to 0:0 for everything. Most of what people use root for can actually be done by a member of the bin or adm group. What you mentioned about sudo access configuration is just a poor man's RBAC implementation for small systems, which should be good enough for most things.

Anyhow this is about new users first learning to use GUI's to do stuff rather then dropping to a command prompt and copy pasta a 20 line list of commands from the internet all being prefaced with sudo. That is a horrible abuse of that command.

 

[Ijack]

And no it doesn't provide any more protection then su, it does the exact same thing, assumes 0:0 rights and executes an arbitrary command as them.

Except, it doesn't do that, does it? It allows a particular user to run a specific set of allowed commands with root privileges and asks for the user's password (one configuration - other configurations are available). "Executes an arbitrary command"? - only if you misunderstand and misuse the facility.

That's not what su does. I think you prove my point that you misunderstand the operation of sudo. If you can do "sudo bash" on your system and gain root access then you need to do a little revision of your security setup.

Sudo is a very useful tool when used properly.

Anyhow this is about new users first learning to use GUI's to do stuff rather then dropping to a command prompt and copy pasta a 20 line list of commands from the internet all being prefaced with sudo. That is a horrible abuse of that command.

I agree completely. That is almost as bad as blindly following instructions and using a GUI to achieve a task. This is actually a thread about whether one should recommend generic command-line solutions to probems or specific GUI-based ones that will work on one distribution but not on another. I'm in favour of the generic approach which may even help to instil some understanding of what is actually happening.

 

[palladin9479]

That's not what su does. I think you prove my point that you misunderstand the operation of sudo. If you can do "sudo bash" on your system and gain root access then you need to do a little revision of your security setup.

Umm... keep telling yourself that. And bad attempt at an underhanded insult, you could at least try a little.

Ubuntu comes configured that way by default, which is why I mentioned it. All distro's come configured that way. Configuring it otherwise .... is setting up a poor man's RBAC. Otherwise most of what you said is either illogical or just paraphrasing what I've already said while pretending to be correcting me.

You know, you'd think the guy recommending to everyone to setup RBAC would, ya know, already know how to setup RBAC.

 

[randomizer]

If you can do "sudo bash" on your system and gain root access then you need to do a little revision of your security setup.

The default setup in Ubuntu (the distro used by the bloggers abusing sudo) is to allow executing any commands as any user.

 

[Ijack]

Now we are on to a different question. Is the default setup of Ubuntu secure? I've no argument with anyone who answers "no". Does that mean

1. Use su rather than sudo
2. Tighten up your sudo configuration

I favour 2 rather than 1. If we are talking about the default Ubuntu installation then sudo is the only choice.

This focus on a particular distribution in no way answers the question "do su and sudo do exactly the same thing?". No, they don't. Let's not confuse people with mistruths.

 

[randomizer]

I wasn't asking or answering any questions, just making a tangential comment. We've strayed off topic and it looks like we could have a whole thread just on su vs sudo.

 

[Ijack]

That's not what su does. I think you prove my point that you misunderstand the operation of sudo. If you can do "sudo bash" on your system and gain root access then you need to do a little revision of your security setup.

Umm... keep telling yourself that. And bad attempt at an underhanded insult, you could at least try a little.

Sorry, I'm not with you. You consider it an insult to suggest that a system that allows a user to open a root shell with "sudo bash" is badly configured? That's not an insult, just a fact. I could come up with far better than that if I wanted to insult anyone.

It's another simple truth that anyone who thinks that su and sudo do "the exact same thing" doesn't understand the commands fully.

Anyhow - this is now straying way off the original point, the merits of giving command-line soultions as opposed to GUI ones. I've given my opinion on that, and the reasons for that opinion, and I'm not inclined to get drawn further into a sidetrack of half-understood commands. All are welcome to their own views and it is an interesting topic as to the merits of generic and specific problem solving. I've always favoured the idea of leading people to find their own solution and maybe learn a little in the process.

 

[Ijack]

I wasn't asking or answering any questions, just making a tangential comment. We've strayed off topic and it looks like we could have a whole thread just on su vs sudo.

I agree that we are straying way off topic. And Ubuntu vs. other distributions could be another one - don't get me started on that one!

 

[nss000]

MrCD:

We have no disagreement. I have used UBUNTU exclusively since U_6.06 and comfortably use SPM all-the-time. The issue on this thread points in a different direction.

Namely, if circumstances of convenience or constraint make appropriate the use of a TEXT COMMAND to call for download and installation of a Linux application, does manual CLI text-entering have an advantage over COPY/PASTE?

My answer -- having used Linux systems for 25-years -- is that **it depends**. In my personal case I am greatly aggravated by having to use a keyboard at all. I've written LOTS of code ... and while loving the "poetry" & output I've hated every keystroke! tappatapparuutruuttappaclicktappatappa.................. that's just barrels of monkeys funf! So gawdsakes copy/paste some poorgents 50-lines of alpha-numeric nonesence and get on with writing that novel, applying those boundary-conditions, plotting the Bessel-function or un-redening baby eyeblink or whatever it is you do that makes a computer useful.

" It's true, I've NEVER used Ubuntu "software center". From the first it sounded like a con, undesirable complexity, and I expect to access all-available packages thru synaptic! "

Ubuntu Software Center is not a con and it's extremely simple, it just runs slowly and is missing some lesser used packages.

@nss000 I highly reccomend you get comfortable using Synaptic Package Manage as much as possible you can search and find items without knowing the exact package name. If your using a piece of software like Apache Office you can add the repository and browse it in SPM or right click on the .deb and open in USC or Gdebi, or if it's a executable installer, just right click on it, tick allow to run as executable and then right click run as executable.

@palladin9479 You're first paragraph is on the money, I've yet to come across a new Linux user that's more competent with terminal commands than GUI. By a long shot.

I'm not sure I understand exactly what you mean in the second paragraph, you don't like the fact sudo is temporary root privileges? Do you log out of your normal user the into a root account whenever you need root privileges?