0
On many varieties of Linux and Unix, the root user is not allowed to use sudo
. Why is this? Is there any security concern with the root ALL=(ALL) ALL
present in some other varieties' default sudoers configuration?
0
On many varieties of Linux and Unix, the root user is not allowed to use sudo
. Why is this? Is there any security concern with the root ALL=(ALL) ALL
present in some other varieties' default sudoers configuration?
2
There are two 'standard' versions of /etc/sudoers
used by Linux distros. One follows the principle of least privilege, and does not by default include the line you mentioned. The other prefers usability and ease of maintenance, and includes the line you listed above.
From a practical perspective, outside of very highly constrained environments involving things like SELinux, there is no difference in security between the two versions because root already has all the tools he needs to impersonate other users (either via su
, or using any other software capable of calling setuid()
).
However, there is an administrative advantage to being able to use sudo -u
as root to impersonate other users. Because sudo
properly sanitizes the environment and then follows standard shell login procedures, using sudo -u
to impersonate a user allows you to more accurately reproduce issues reported by that user than you would be able to with just su
, which in turn makes help-desk type work much easier.