Ubuntu – How is sudo safer than directly using su if the user is granted access to all commands

administratorcommand lineSecuritysudo

So I've been reading into the differences between using su and sudo, and everyone seems to be in agreement that the sudo approach is safer than allowing access to the root account itself. They say that with the root account you could break your entire system with just a single command. This I understand. BUT the initial user created on the system also has access to all commands using sudo. This I can find out by running su -l. If this is the case, then I can simply run sudo <game-ending command> to ruin my system. So how is this approach better or safer then allowing me direct access to the super user account? I can run all of the same commands…

Is it because using sudo on the command line I am explicitly telling the computer I think I know what I am doing? Do they think people will forget they are under the super user account unless they explicitly say so?

People also state that if the system were compromised and entered by someone foreign, being under the root account would allow them to do terrible things to my system. But it seems to me if they already have access to my account, and know my password, they can do these same terrible things by using sudo and entering my password since they don't even need to know the super user's password. What am I not getting here?

Best Answer

Personally I do not necessarily consider it safer and most of the benefits (of sudo) are on a multi user system. On a single user system it probably is a wash.

The benefits are (in no particular order):

sudo has superior logging. sudo logs each command.
sudo allows finer grain control. One can configure sudo to give root access to some but not all commands.
sudo uses the login password. This protects having to give the root password (as you would with su) and is related to the point above regarding finer grained control / access to root.
In Ubuntu, by default, the root account is locked. This deters crackers as to log in (remote via say ssh) they have to guess both a user name and a password. If the root account is not locked, as is the case with su, then they only need to crack root's password.
sudo -i is probably the best method to isolate root's environmental variables from your user. This comes up from time to time but is moderately esoteric. See https://help.ubuntu.com/community/RootSudo#Special_notes_on_sudo_and_shells
some people feel that having to type sudo before every command they wish to run as root or having sudo time out allows them to stop and think more clearly and reduces their errors or running erroneous commands. If doing so helps you that would be a benefit as well.

There are probably more benefits , but, those are the major ones, IMHO.

To try to answer some of your other thoughts:

There is nothing about either su or sudo that prevents you running malicious code as long as you know the password. Neither is safer or better.
Crackers can obtain shell access via a number of methods. When you see "run arbitrary code" in a security notice - https://usn.ubuntu.com/usn/ - that means a cracker can run /bin/bash or any other code. Thus a cracker, via various exploits, can obtain shell access without knowing your login name or password. Neither sudo or su helps with this.
If a cracker has shell access they can do a lot of damage without root access. For example the ransomware that encrypts all your personal data.
If a cracker has shell access to an account with root access, via either su or sudo, the cracker can obtain root access via a number of methods beyond the scope of this discussion. Neither sudo or su is superior in this respect either.

So while you have observed problems or flaws with sudo, su has the exact same vulnerabilities and su is not superior to sudo in those aspects, IMHO

Related Solutions

Ubuntu – How important is the sudo password

I know that the sudo password protects my computer from being locally hacked by someone having physical access to it.

I do not want to scare you too much, but if someone has physical access you handed access over to them regardless of how strong your password is. It will take 1 reboot by someone for that someone to be able change your root password (can be done from "grub rescue" without the need to supply your current password). By the way: this method is considered valid and a feature, and an accepted security risk (otherwise you would never be able to fix your system in case the password did get compromised).

but I know that it is not strong enough if someone can brute-force it remotely.

Here comes something else in play: a ROUTER should be smart enough to lock access from the outside if it is a repeated request asking for the same information over a short period of time. Basically what you have here is a DOS attack (or a DDOS if 2+ computers attacking you). A router should kill that connection and enforce a waiting period before accepting new requests from that connection.

Can anybody access my computer in root mode using my sudo password with no physical access to the computer, on a standard Ubuntu desktop installation ?

They first need to connect, then provide the sudo password. "root" mode is disabled and you can not directly log in to a "#" prompt.

Note that it is possible to abuse a service. If you have "ssh" running on that machine and they can "ssh" to your system, and get a hand on your username and password for that user (and as it is an admin user your sudo password too) they can access your machine and mess it up. By the way: if they do it like that they must have knowledge of your system first (like your password).

But then there is an issue with that (and any other method): how did they get your password? They can NOT get it from your system itself. And in general guessing is not worth the trouble. If it was socially engineered ... then your problem is there, not with the security model of your system, Ubuntu or Linux in general.

As long as your sudo password is yours you will/should be fine. And you will be even better off if it is a strong password (maybe easy to remember for you but not guessable by others). An example I used before when discussing this: If your dog is named "Abwegwfkwefkwe" using "Abwegwfkwefkwe" as a password is BAD even though it looks good (since someone could ask you: 'what is your dog's name' and they try that as a free guess). If you have no relation to "Abwegwfkwefkwe" it is a good password.

Best advice I can give:

do not enter your admin password when asked for it unless you know it was expected to be asked. If you open a browser and are given a popup that looks like our "asking for admin account password" ... stop ... and think first.
do not leave your system unattended when the "sudo" grace period is active. sudo --reset-timestamp removes the current grace period and will ask for the password again when you next use "sudo". Lock your screen when you go AFK.
do not install services or software for the fun of it. If you do not need ssh do not install ssh, if you do not use a webserver do not install a webserver. And have a look at the currently running services. If you do not use BT on a notebook, disable it. If you do not use a webcam disable it (if active). Delete software you do not use anymore.
and for the really paranoid (and yes Paranoid Panda I am looking at you): change the password every so often. You can even install rootkit hunters to check for inappropriate access.
backup your important data to something that you keep off-line. So even if you do find someone on your system you can format it, and start over with a new install and your data restored.

Ubuntu – what is the sudo password for a –disabled-password user

That wont fly... you need a password for the sudo user to be able to disable the sudo password. So that goes the other way round: 1st disable sudo pwd then disabled-password. And I suggest NEVER to do this kind of action w/o a backup sudo user. Leave the 1st sudo user as is. Maybe with a good password (64 chars you generate randomly and store that in an safe). Use a 2nd sudo account to set your method up. That way you can use your 1st sudoer as a fallback.

And you need

{user} ALL=(ALL) NOPASSWD:ALL

/etc/sudoers.d/{user}

If you can't un-disable you can use live session to edit the sudoers file.

Best Answer

Related Solutions

Ubuntu – How important is the sudo password

Ubuntu – what is the sudo password for a –disabled-password user

Related Question