1 |
Stroller wrote: |
2 |
> |
3 |
> On 9 Feb 2009, at 13:05, Heiko Wundram wrote: |
4 |
>> ... even when he gets access to one of |
5 |
>> your user accounts (who happen to be in group wheel), he still has to |
6 |
>> guess |
7 |
>> the root password (when doing su -) to be able to become root, and |
8 |
>> hopefully |
9 |
>> this buys you the time to see in your logs that someone tried local |
10 |
>> "su" with |
11 |
>> invalid passwords, which should always be a high priority alert. |
12 |
> |
13 |
> I have been using `sudo` over `su` for a long time because I felt it |
14 |
> reduces the risk of staying too long logged in as root, doing something |
15 |
> daft and damaging the system. |
16 |
> |
17 |
> However I have now many times found myself typing `sudo` commands |
18 |
> automatically & sometimes inattentively, so that would seem to undermine |
19 |
> that argument. |
20 |
> |
21 |
> Your point is very persuasive. I guess my remaining objection is that I |
22 |
> have my .bashrc & .bash_profile just the way I like them, and using root |
23 |
> would seem to require me to make any changes in two places. |
24 |
|
25 |
You can instruct sudo to ask for the target user's password instead of |
26 |
your own. In this case, you can make to ask for root's password. Look |
27 |
up "targetpw" in sudo's docs. To make sudo ask for the target user's |
28 |
password by default, put this in /etc/sudoers: |
29 |
|
30 |
Defaults targetpw |