Best of the Newsgroups: sudo vs. root access

If this isn't exactly what you wanted, please try our Search (there's a LOT of techy and non-techy stuff here about Linux, Unix, Mac OS X and just computers in general!):

From: Tony Lawrence <apl@shell01.TheWorld.com>
Subject: Re: Login as Root User
Date: Wed, 31 Dec 2003 12:57:24 +0000 (UTC)
Message-ID: <bsuh3k$366$2@pcls4.std.com> 
References: <carln-1B0BCD.16182626122003@brokaw.wa.com> <bsp69j$374$2@pcls4.std.com> <tomstiller-182CE6.07362429122003@comcast.ash.giganews.com> <bsp84g$374$3@pcls4.std.com> <vilain-E7D414.12245629122003@comcast.ash.giganews.com> 

"Michael wrote:
>In article <bsp84g$374$3@pcls4.std.com>,
> Tony Lawrence <apl@shell01.TheWorld.com> wrote:

>> Tom Stiller <tomstiller@comcast.net> wrote:
>> >In article <bsp69j$374$2@pcls4.std.com>,
>> > Tony Lawrence <apl@shell01.TheWorld.com> wrote:
>> 
>> >> Carl J. Niedermeyer <carln@halcyon.com> wrote:
>> >> >How does one log in as a root user?
>> >> 
>> >> Well, first you need root to have a password.  You do that with
>> >> System Preferences -> Security -> Enable Root User or simply 
>> >> "sudo passwd root" at a Terminal prompt (you give your password
>> >> first, then assign the root password).
>> 
>> >You can't enable the root user with a System Preferences panel; it's 
>> >done with the NetInfo Manager utility in /Applications/Utilities. 
>> 
>> Right, sorry..
>> 
>> >Be advised that if you enable the root user with 'sudo passwd root", you 
>> >will have a difficult time disabling it should you want to.
>> 
>> True enough.  Though I don't agree with Apple's philosophy on
>> this being disabled to start with.

>Perhaps you haven't been paged to come into the office because the evil 
>developer hosed their system by deleting files they didn't think were 
>needed, like /lib/ld.so on Solaris.  All the dynamically linked 
>applications on the system like cp, ls, mv, etc. fail when the file is 
>not present.  It's easy enough to recover from if you have the install 
>media, but fixing someone's dumb mistake at 3am on Sunday morning 
>doesn't make one's mood any lighter.

So?  Anyone can cause just as much damage with "sudo".

>> 
>> >You can always become root in the Terminal by entering 'sudo su -".  
>> >Unless you need/want to be root with a GUI, there's no need to enable 
>> >the root account.
>> 
>> 
>> I'd rather have a root password than depend on sudo.  Really,
>> that's all "enabling" means here: having a password you can use rather
>> than something you can only get at through the grace of sudo.  

>Since there's no need to ever login as root on MacOS X, why do you 
>prefer it?  It can't be tracked as well as sudo access.  It provides a 
>very high _oops_ factor.  Unless you run daily backups on your systems, 
>how do you recover files that get accidently deleted by root (no, Norton 
>doesn't work very well on MacOS X).

Never say never.  If sudo broke, you would need to login as root.

>The only reason I ever logged in as root on Solaris systems was to get 
>into single-user mode and repair a disk with fsck.  Since no password is 
>required on MacOS X, why do you feel you need root access over something 
>that's more secure?

You HAVE  root access now.  All I'm saying is that I'd rather be able
to use it directly than depend on sudo.


>> 
>> You could perhaps argue that if a weak password is used, you might  have
>> been better off leaving it as it was, but if your admin account is
>> weak also you didn't add much insecurity to what was already there.
>> So what's the point?
>> 
>> Not that needing root in any way at all comes up very often, of course.

>Having been a sysadmin for over 10 years, I find my job much harder if a 
>site allows users have root access on their desktop systems.  The only 
>place this wasn't the case was at SUN.  Those people knew fully well 
>what root could do and guarded their root password very carefully.

I've worked on  Unix systems for over 20 years now.  There
are times you need root.  My experience is probably different than
yours because my primary business is troubleshooting: broken systems
that aren't booting, services not running etc.  Generally, you
need root access.  

>It's much easier at sites where root access is available to those who 
>know what it can do and respect it.  I don't feel average users should 
>want or need root access.  sudo gives them access to a root shell if 
>they want and it logs this access in /var/log/syslog.log.  

I don't disagree.  But setting a root password that the system owner
or main admin or MIS or mufwic has doesn't change any of that: 
ordinarily people use sudo, but the password is there if need be.

>At other sites, if anytime an engineer wanted root access and pushed the 
>fact that he needed it 'to get his job done', we sugested that he also 
>join the on-call rotation and respond to outages after hours.  That was 
>usually enough to quiet them down--their manager didn't want them doing 
>_our_ job but the job they were hired for.

So?  

>It might be that the OP (and some other posters) is a "maximizer" rather 
>than a "satifizer" when it comes to making choices.  Maximizers always 
>want the best and search long and hard to get it.  Satifizers settle for 
>"does the job and is good enough".  sudo is 'good enough'.

Seems dumb to me to be totally dependent on su.  Would you really
run your personal machine that way?  I sure as hell won't.  

Understand I am NOT arguing against sudo.  Properly setup, it's
a wonderful tool for giving the power you want to sub-admins and 
even co-admins get benefit from using it.  But that doesn't mean
that I'd lock myself out of root entirely as Apple has done.  This
is an area where they did it wrong, just like having tcsh as the 
default shell.  

-- 
tony@aplawrence.com Unix/Linux/Mac OS X  resources: http://aplawrence.com
Get paid for writing about tech: http://aplawrence.com/publish.html

Take Control of Your Domain Names

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.