[nylug-talk] sudo vs 'ssh as root'

Gary Mort gmlug at saplings.us
Thu Jul 12 07:04:31 EDT 2007 

Michael Bubb wrote:
> 
> This is, I realize, a fairly basic security question (which I am
> cross-posting to SAGE). I have heard people who angrily declaim
> sudo... but I have never gone through the process of figuring this out
> for myself.
> 

My experience is that sudo is a royal pain in the but to remember and 
get into the habit of using.

When you sit down, log on to the system, use an editor to pull up a 
config file you need to make changes to, run through them all for about 
10 minutes, and than try to save it only to discover you don't have 
write privileges, it is very frustrating.

When your in the middle of a full blown crisis which needs to be fixed 
NOW, and some genius decided to move everyone to sudo and disable su, 
you get really embittered about using sudo.

In short, it is a different mindset.  And it is one that in almost every 
case with a shared system you should cram down your users throats. 
Because once your IN the mindset, it really won't take any extra time. 
And you get to log all the things that are done.

The problem mainly is in rolling it out in such a manner as to not have 
an adverse impact on the other admins in case there is a crisis.

My experience is it only takes one crisis for management to decide they 
don't want to use some tool/process because it "caused the problem" - 
and once their in the mindset of looking for something to blame, they 
don't want to hear about the interactions of many different things which 
caused the crisis - there MUST be something to blame, so what are you 
going to do?  Let them blame sudo?  Or have them blame you?  Wheras it 
takes a dozen instances of losing data/config for management to decide 
they want to implement tighter security because their having 
problems(and when you tell them the reason it wasn't set up that way in 
the first place was because they wouldn't allow it, your told "Let's not 
point fingers, we just need to get this resolved for the future".  This 
statement coming right after their pointed question "Why didn't YOU have 
it configured this way to begin with.")

sudo is a large inconvenience to get into the habit of, and then a small 
inconvenience later on.

More information about the nylug-talk mailing list