Usage of sudo vs su

F_style · September 30, 2020, 7:50pm

For some reason I have had a strange idea/doubt for a long time, and wondering if you could help me…

Did usage of “sudo” over “su -” use to be discouraged on openSUSE in general in the past? Or is it just idea of mine?

If not, when do you normally use one or the other?

Thanks.

malcolmlewis · September 30, 2020, 8:02pm

Hi
I for one discourage it’s use… If you want to use sudo, then it’s better to configure the sudoers file since it’s not really configured…

F_style · September 30, 2020, 8:21pm

So it wasn’t just idea of mine…

Why is sudo discouraged in openSUSE and not in other distros? What’s different here?

hcvv · September 30, 2020, 9:06pm

It isn’t discouraged in openSUSE IMHO. It is just one of the ways to get a root owned process.

Personally I never use it, but I use

su -

That - is crucial!

The implementation in KDE of the menu item “System” > “Terminal - Super User Mode” does do an su -. Thus that is the way I normally do it. It has also the avantage that I can give that terminal a different background colour as an alert.

AFAIK the default sudo configuration as installed with openSUSE results in the same allowances as su -. But in that case, I do not see any advantage in using the fat sudo over the tiny su - (and no surprises in case the sudo configuration is a bit different from what you assumed it is).

But I may be biased by the fact that su existed looooong before sudo.

nrickert · September 30, 2020, 10:24pm

I don’t think openSUSE is actively discouraging “sudo”. I think SuSE existed before “sudo” existed.

My view from early on is:

System administrators us “su” to get permission for their administrative tasks.
Other people use “sudo” to handle more limited responsibilities. For example, you could setup “sudo” so that some operational staff could use it to take backups but could not do other administrative tasks.

And then Ubuntu happened, and they adopted the policy that “sudo” was the way to administer the system. That’s one of the things that I dislike about Ubuntu.

hcvv · September 30, 2020, 10:41pm

I am fully with @nrickert. It seems that other distros (I am not that fluent in all of them, but I accept that it starts with Ubuntu) misuse sudo with the effect that the Linux world is full of advice to precede almost every command with sudo :(.

But the way sudo is configured on those systems differ from what openSUSE does by default. In short, you need the root password “to get Superuser status” and not the user password. And that is as it should be.

But I differ about the age of sudo. See https://en.wikipedia.org/wiki/Sudo.
I can add that it isn’t in the man pages of HP-UX 10.0 (1995, which I still have in print here), but it certainly was available then from other sources (univerity?) then or short after. We (my IT department) rejected it, because it was not from the provider Hewlett Packard and not opensource and thus we would have nobody to go to when there was a security hole).

peteh100 · September 30, 2020, 11:19pm

If I try out a buntu based distro (currently kde-neon) I always set up sudoers like opensuse and create a root password.

F_style · October 1, 2020, 12:22am

I think Debian has both sudo and su, like openSUSE, but IIRC from somewhere in their forums, they think “sudo is the way to go because it’s safer than su: with sudo the root session ends as soon as command ends; with su you run the risk of the root shell remaining open”. Or so I understood…

@malcolmlewis:
Why do you discourage sudo?

deano_ferrari · October 1, 2020, 12:37am

Yes, that is one criticism of the root terminal approach. Of course similar to sudo (non-persistent approach), there is also the possibility to do

su -c <command>

malcolmlewis · October 1, 2020, 12:56am

Hi
On a single user system, little point, sure for managed systems to control user access and specific applications (I use it for osc and building packages with /usr/bin/build configured with visudo).

Switch to root user with su - (and not su) perform the required task(s) and exit… one task per sudo command, seems pointless?

I like a separate user password and root password, on other distributions that I have played with I always sudo -i and set a root password

tsu2 · October 1, 2020, 1:21am

sudo impersonates.
su (and su -) is the real root account.

There’s a big difference between the two, for systems like openSUSE which supports “su” each will grant you different access although for many things there isn’t a difference. An example is if you’re administrating a relational database, it’s unlikely that sudo will work.

Many other distros have a philosophy that true root access (su) is too dangerous to allow User access under any circumstances so forces Users to use the slightly less privileged sudo.

As long as I’ve used openSUSE (since 10.7), it’s always supported Users invoking “su” – It’s not new and has not changed since “forever.”
As such, you can choose to use “sudo” all you want but to my knowledge no one has ever compromised openSUSE because “su” was permitted. Maybe someone has even compromised openSUSE but never publicized that happening… but the two most likely means I can think of can be addressed simply… By not leaving an elevated console running unattended and making your root password different than your default User (which is not default installation). It would be very, very difficult to somehow access and use elevated permissions normally.

That’s why I say that it’s a waste of effort to type “sudo” for every one of 100 commands instead of executing those commands in an elevated “su” console.

TSU

karlmistelberger · October 1, 2020, 11:56am

I always run ‘su -’. On systems insisting on “sudo …” I run “sudo passwd” exactly once. Then I can use ‘su -’.

dcurtisfra · October 1, 2020, 1:40pm

The reason is embedded in the comments of the default “/etc/sudoers” file:


## In the default (unconfigured) configuration, sudo asks for the root password.
## This allows use of an ordinary user account for administration of a freshly
## installed system. When configuring sudo, delete the two
## following lines:
Defaults targetpw   # ask for the password of the target user i.e. root
ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!

****** In other words, on a freshly installed system, always “visudo” to disable the default (easy) behaviour and achieve this behaviour:


 > LANG=C sudo something
[sudo] password for «*The user calling “sudo”*»: 
«*The user calling “sudo”*» is not in the sudoers file.  This incident will be reported.
 >

And, in the systemd Journal:


Okt 01 13:27:35 xxx sudo[21600]: pam_kwallet5(sudo:auth): (null): pam_sm_authenticate
Okt 01 13:27:35 xxx sudo[21600]: pam_kwallet5(sudo:auth): pam_kwallet5: Couldn't get password (it is empty)
Okt 01 13:27:46 xxx sudo[21600]:      ?? : user NOT in sudoers ; TTY=pts/3 ; PWD=/home/?? ; USER=root ; COMMAND=something
Okt 01 13:27:46 xxx postfix/pickup[21286]: D913340347: uid=0 from=<root>
Okt 01 13:27:46 xxx postfix/cleanup[21610]: D913340347: message-id=<20201001112746.D913340347@xxx.*Domain*>
Okt 01 13:27:46 xxx postfix/qmgr[2514]: D913340347: from=<root@xxx.*Domain*>, size=477, nrcpt=1 (queue active)
Okt 01 13:27:46 xxx postfix/local[21612]: D913340347: to=<root@xxx.*Domain*>, orig_to=<root>, relay=local, delay=0.12, delay>
Okt 01 13:27:46 xxx postfix/qmgr[2514]: D913340347: removed

And, the mail sent to the user “root” is:

>N  1 ??@xxx.*Domain* Thu Oct  1 13:27   16/613   *** SECURITY information for xxx ***

with content:

xxx : Oct  1 13:27:46 : ?? : user NOT in sudoers ; TTY=pts/3 ; PWD=/home/?? ; USER=root ; COMMAND=something

IMHO, this is reasonable system security …

awerlang · October 1, 2020, 4:52pm

Great topic with great insights.

I couldn’t see how the distro would favor one over another, since openSUSE packages both. Except on a minimal install su is available while sudo is not. That said I prefer sudo, since most of my tasks require a single command as root, and I have a few selected commands that won’t require the root password when called with sudo (systemctl, zypper, rpmconf, btrfs). For a single-user system this is convenient. For multi-user, multi-admin, sudo is even more convenient. Besides, with su I’d have a different set of dotfiles, which would be inconvenient for me.

dcurtisfra:

****** In other words, on a freshly installed system, always “visudo” to disable the default (easy) behaviour and achieve this behaviour:
 > LANG=C sudo something
[sudo] password for «*The user calling “sudo”*»: 
«*The user calling “sudo”*» is not in the sudoers file.  This incident will be reported.
 > 

Relevant xkcd: https://xkcd.com/838/

glistwan · October 1, 2020, 5:14pm

This thread reminds me of discussions whether vi or emacs is better

F_style · October 1, 2020, 6:12pm

So in the end it depends of the administrative needs…

By the way, there’s a multiboot USB tool that I use for installations of which I once talked about; the script that sets up the entire USB drive uses sudo and then gets back the username of original user in order to change ownership of the files copied to the USB.

Do you think this could be a reasonable use of sudo?

tsu2 · October 2, 2020, 1:35am

What minimal install are you describing?
I haven’t yet run into any openSUSE install where sudo wasn’t installed.

TSU

tsu2 · October 2, 2020, 1:36am

Why not just su to whatever User you want to be logged in as and then perform whatever operations as that User?

TSU

awerlang · October 2, 2020, 2:50am

sudo is not a required package of anything I have installed. So deselecting “Recommended packages” in the installer is one way. Probably the literal “Minimal install” as well.

tsu2 · October 2, 2020, 4:23am

OK, if that is how you’re doing it,
Plenty of packages can be not installed by choice.

Was thinking along lines of default installs of JeOS, server(text only) installs.

TSU