13

Background

I know the difference between su -, sudo su -, and sudo <command>:

  • su - - switches user to root, requires the root password
  • sudo su - - switches user to root, requires only the current user's password
  • sudo <command> - grants root access only for a specific command; requires only the current user's password

My question is about whether or not using sudo su - is a safe practice in a production environment.

Some thoughts:

  1. It seems like allowing sudo su - poses a security risk by making access to the root account dependent upon individual user passwords. Of course, this might be mitigated by enforcing a strict password policy. I don't think su - is any better since it would require the administrator to share the actual root password.

  2. Allowing users to completely switch to the root account makes it more difficult to keep track of who makes changes to the system. I've seen cases at my day job where multiple users are given sudo su - access. The first thing the users do when logging into the system is run sudo su -, before beginning work. Then, one day something breaks, and there is no traceability to who ran rm -rf * in the wrong directory.

Questions

Given the above concerns, is it ever a good idea to allow users to use sudo su - or even su - at all?

Are there any reasons an administrator would configure user accounts for sudo su - or su - instead of sudo <command> (aside from laziness)?

Note: I am ignoring the case where the user running sudo su - or su - is the Administrator needing to make system changes, when direct ssh access has been disabled for the root user.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Kingand
  • 253
  • 1
  • 2
  • 6

3 Answers3

12

Let's look your cases:

 su -

will run a /bin/sh as the root user using the root environment. The root password is needed and logging MAY be logged depending on syslog settings (usually is by default to /var/log/auth.log).

 sudo /bin/sh

will run shell as the root user using the current set of environment variables (with some exceptions as would be defined in the sudoers file). The password is the source user password and NOT the root user password. sudo is usually logged.

 sudo su -

will run a shell (usually /bin/sh) as the root user setting up the environment as the root user. This will require the password of the source user and this will generally be logged.

Sometimes it is necessary to have the root environment over your own environment, thus su - is an appropriate method. Remember sudo will still log the use of the shell command in either case.

Skyhawk
  • 14,149
  • 3
  • 52
  • 95
mdpc
  • 11,698
  • 28
  • 51
  • 65
0

*Given the above concerns, is it ever a good idea to allow users to use sudo su *

No, not in my opinion. It has no practical advantage over allowing them to su except they don't need the root password to do it.

or su - at all?

Since I always disable root logon, su is necessary and on balance, makes the server more secure.

Ron Lawhorn
  • 21
  • 2
  • 2
    Not requiring everyone to actively share the root password has important security cultural advantages that should not be overlooked. – Falcon Momot Aug 09 '14 at 16:32
0

The OP seems to provide plenty of good reasons to not allow/encourage general uses to run sudo bash or sudo su - since that switches them to an all-powerful mode the internals of which are generally not logged. And they might forget they are in that mode and do something ... regrettable.

Ergo, it seems more secure to have most users restricted to running sudo on/a/particular/command/ or list of commands. That way every sudo command is logged.

Will you encounter exceptions in practice? Sure. Is the reaction to such exceptions to revert to the lazy practice of un-restricted sudo su --probably not.

MarkHu
  • 121
  • 4