1 |
On Sunday 28 February 2010 07:06:43 ubiquitous1980 wrote: |
2 |
> Nikos Chantziaras wrote: |
3 |
> > On 02/28/2010 05:57 AM, ubiquitous1980 wrote: |
4 |
> >> If I have logged in through sudo such as $ sudo su, when I then use man |
5 |
> >> pages, they are covered in "ESC". This does not occur when using normal |
6 |
> >> user accounts or the root account through su. Wondering what is going |
7 |
> >> on. Thanks. |
8 |
> > |
9 |
> > Some ENV variables are unset by sudo. |
10 |
> > |
11 |
> > But anyway, "sudo su" makes zero sense :P |
12 |
> |
13 |
> sudo su makes sense if you want to use the root account while having the |
14 |
> root account locked. Some, like Ubuntu, do it for security reasons. |
15 |
> Not sure if they are valid, but I thought I would put this little |
16 |
> problem out there for someone to make comment on. |
17 |
|
18 |
I use "sudo su" a lot,a nd make it available to other root users on my |
19 |
servers. It all makes perfect sense it the context of: |
20 |
|
21 |
1. The password for the root account is secret. Changing it is a real ball- |
22 |
ache, something not undertaken lightly. |
23 |
2. The password is know to very very few persons, and ideally would be kept in |
24 |
a locked safe needing signed CTO approval to open it. |
25 |
3. I have a provisioning system that deploys user, their keys and password |
26 |
hashes. |
27 |
4. The person running "sudo su" is authorized to do so, so he gets root. |
28 |
There's an audit trail too as not just anyone can get to my remote sysloggers. |
29 |
5. When someone leaves, in the old days we had to manually change 100+ root |
30 |
passwords, and of course always forget at least one. Now I run one command on |
31 |
my user provisioning system and within 30 minutes that person's access is |
32 |
gone, and I can guarantee a) it's gone everywhere b) there are no back doors |
33 |
6. Not all OSes out there support sudo -i |
34 |
|
35 |
So in the context of multi-admin servers, sudo su (or sudo -i if you will) |
36 |
make perfect sense, and su far less so. |
37 |
|
38 |
|
39 |
-- |
40 |
alan dot mckinnon at gmail dot com |