EPIC BASH Battles! sudo vs. su

I was challenged by a colleague on the differences between sudo and su – a perfect blog topic!

su – (switch user) The bash su is used to switch to a different user and start a shell as that user –  su prompts you for the password of the user you are switching to, and after entering the password you switched to the user’s environment. No config file is used and security implication is that there is unfettered access once the user is in … AND generally no logging – BAD – read that again . . no logging.  su also increases risk of account traversal without user attribution as to WHO ran WHAT command.

sudo (superuser do) allows users to run specific commands at root ( or whatever user if sudo -u <user> is used )  AND uses uses a config file: /etc/sudoers.

Per Official Ubuntu docs:

“The /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what).”

When sudo is invoked, it will prompt for the password of the user who envoked it – to be sure the user on the keyboard is the same user listed in /etc/sudoers.

Another hybrid example,(and generally bad practice) sudo su calls sudo with the command su. Bash is called as interactive non-login shell – shell executes .bashrc only and /etc/sudoers looks like this:

<user1>  ALL = NOPASSWD: /bin/su - <otheruser>

If you need to do this; try sudo —u user2  Environment files such as .profile, .bashrc are used. Lock down /etc/sudoers by only allowing specific commands to be run.

<user1>  ALL=(user2) NOPASSWD: /usr/bin/apt-get*, /etc/init.d/apache2 restart

For Security purposes – we ALWAYS use sudo, and never su. We can lock down what commands are run in /etc/sudoers. Also, sudo is better because it allows for user accounting; (logging ) so we know WHO ran WHAT commands. Never use sudo su.  The more we can customize the /etc/sudoers; and call out specific commands that are run; the better.

Sudo is the WINNER!

 

Advertisements
This entry was posted in Linux Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s