| 1 |
Stroller wrote: |
| 2 |
> |
| 3 |
> On 9 Feb 2009, at 13:05, Heiko Wundram wrote: |
| 4 |
>> ... even when he gets access to one of |
| 5 |
>> your user accounts (who happen to be in group wheel), he still has to |
| 6 |
>> guess |
| 7 |
>> the root password (when doing su -) to be able to become root, and |
| 8 |
>> hopefully |
| 9 |
>> this buys you the time to see in your logs that someone tried local |
| 10 |
>> "su" with |
| 11 |
>> invalid passwords, which should always be a high priority alert. |
| 12 |
> |
| 13 |
> I have been using `sudo` over `su` for a long time because I felt it |
| 14 |
> reduces the risk of staying too long logged in as root, doing something |
| 15 |
> daft and damaging the system. |
| 16 |
> |
| 17 |
> However I have now many times found myself typing `sudo` commands |
| 18 |
> automatically & sometimes inattentively, so that would seem to undermine |
| 19 |
> that argument. |
| 20 |
> |
| 21 |
> Your point is very persuasive. I guess my remaining objection is that I |
| 22 |
> have my .bashrc & .bash_profile just the way I like them, and using root |
| 23 |
> would seem to require me to make any changes in two places. |
| 24 |
|
| 25 |
You can instruct sudo to ask for the target user's password instead of |
| 26 |
your own. In this case, you can make to ask for root's password. Look |
| 27 |
up "targetpw" in sudo's docs. To make sudo ask for the target user's |
| 28 |
password by default, put this in /etc/sudoers: |
| 29 |
|
| 30 |
Defaults targetpw |
Archives