Thread: sudo issue
View Single Post
  #2   (View Single Post)  
Old 29th May 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by rpindy View Post
Any ideas?
Your question is unclear, but it appears you are assuming that the root password is required for both su(1) & sudo(8). This isn't necessarily true.

The problem with su(1) is that one either knows the root password or one doesn't, & if one knows the root password, they have complete control over the system. The privilege separation implemented by the system is absolutely defeated.

The purpose of sudo(8) is to implement a configurable privilege policy which can be partial. su(1) cannot do this. sudo(8) roles can be established which may grant some privileges of root, but not necessarily all. sudo(8) can also grant root privileges by command. Likewise, the root password doesn't have to be shared since sudo(8) expects the user to enter their own non-privileged account password.

In this manner, sudo(8) has finer control & granularity over sharing root's control all without sharing root's password.

Note that sudo(8) is not configured by default. visudo(8) is used to edit the local sudo(8) policy. The default policy will not grant any root privileges to non-privileged users irregardless of whether the root password or non-privileged password(s) are used.

If you are looking for more information on sudo(8), study the manpage & the project's Webpage:

http://www.gratisoft.us/sudo/

Also note that sudo(8)'s current author is also an OpenBSD developer.
Reply With Quote