# Sudo Vs. Su Vs. Sudo Su

## humbletech99

I am torn between how to administer my systems. At home I always su and that's the end of it. At work, my boss insists on sudo or sudo su cos he says it's got better logging.

I believe that su is better from security because 2 passwords are required, whereas with sudo if you get the user level password, you also get root.

Could anyone give me their experiences and knowledge on the pros and cons of each?

----------

## oliver

at work we would lock the root password (on solaris) - i.e. literally run

```
# passwd -l root
```

This was so we didn't have to change root every few months when someone left and we didn't have to maintain multiple passwords.  I didn't see any problems with that approach but I'm not sure it's infallible.

Benefits were we could also monitor su to root attempts and know immediately that they weren't supposed to be doing that and sudo had more than enough logging to keep people happy.

----------

## luisfelipe

Also, with sudo you can enable people to run only specific commands. Which is alot better than giving them access to the

entire system as root. Check the man page for sudoers to learn how to use that.

----------

## pjp

 *humbletech99 wrote:*   

> with sudo if you get the user level password, you also get root.

  sudo can be configured to require the root password.  "rootpw      If set, sudo will prompt for the root password instead of the password of the invoking user.  This flag is off by default."

Moved from Other Things Gentoo.

----------

## zigver

 *humbletech99 wrote:*   

> I believe that su is better from security because 2 passwords are required, whereas with sudo if you get the user level password, you also get root.

 

sudo is much more powerful than that.  You can tailor what commands on what machines various users are able to sudo.  It's very flexible.

----------

## VStrider

 *pjp wrote:*   

> sudo can be configured to require the root password.  "rootpw      If set, sudo will prompt for the root password instead of the password of the invoking user.

 

Hehe, yeah, but kind of defeats the purpose of sudo though, doesn't it?  :Wink: 

humbletech99, I use sudo for common every day stuff like emerge --sync or emerge -avuD world that I want to run from my user account without typing any passwd. This is safe cause even if someone gets my user passwd, they can run sudo emerge -avuD world but they cannot run sudo emerge -C or anything else. For uncommon stuff I just use su. As another example of sudo, my gf's pc is an old machine that connects to mine as a thin client. I've setup a runlevel called ltsp which starts nfs(if stopped), xinetd/in.tftp, dhcpd etc. Now if I'm not home she can still start the server with sudo /sbin/rc ltsp but she cann't go into another runlevel apart from default and ltsp.

----------

## pjp

 *VStrider wrote:*   

>  *pjp wrote:*   sudo can be configured to require the root password.  "rootpw      If set, sudo will prompt for the root password instead of the password of the invoking user. 
> 
> Hehe, yeah, but kind of defeats the purpose of sudo though, doesn't it? 

 

 *humbletech99 wrote:*   

> I believe that su is better from security because 2 passwords are required, whereas with sudo if you get the user level password, you also get root.

  Depends on your needs I guess.

----------

## humbletech99

we've also disabled the root passwd on our public facing servers and use 'sudo su'.

I understand that sudo is very flexible and you can allocate commands to users etc, although I didn't know you could actually use the root passwd with sudo.

Here if anyone has access to the machine, they're all programmers/admins so we really do just sudo su, hence sudo flexiblity is a little wasted on us....

I think in a way though, the rootpw with sudo does defeat the whole point.

Maybe it's just a matter of preference.

Does anybody know if the default logging is better with sudo su than with su?

I can't imagine that it is (can't test it now either)...

----------

## VStrider

I don't like 'sudo su'. I think it's pointless, since you start a root session. And your user already has the root passwd so why not just su? The purpose of sudo is to give certain privileges to various users, without giving them the root password. Think of it like an ACL for security privileges instead of files. 

As about logging, su does log auth failures or the UID who starts a root session; though this is mostly as a reminder of when the root logged in, it's not so much for security since someone with a root password can always delete/change logs - if you cann't trust them fully, you shouldn't give them root passwords. ACLs and/or MACs are in order. So i cann't see how sudo su is any better.

----------

## humbletech99

neither can I. In fact I think it's worse since you only need 1 password to get root priviledge instead of 2 passwords, but it's not my call and I'm trying to understand the benefits of it and why it was chosen....

I suppose one benefit is that if someone leaves, you just delete their account and that's the end of it... rather than having to change root and tell everyone who uses it. Also, having the root account completely disabled is quite good in some ways cos this is the main target, although someone would probably try and go via the lower priviledge first figuring users are stupid and have easier passwords...

Beyond that I can't think of anything...

----------

## zigver

 *humbletech99 wrote:*   

> Does anybody know if the default logging is better with sudo su than with su?
> 
> I can't imagine that it is (can't test it now either)...

 

I can't speak if this is the default or not, but sudo as I've used it at work for the last 8 years logs the following everytime sudo is invoked: date, user executing command, host executed on, current TTY, current directory, the effective UID, the command executed (with full path).

EDIT:  I guess this isn't really better in the sense that once you become root, nothing gets logged.

----------

