article<\/a>\n that sudo is used as a crutch for SysAdmins. He does not spend a lot of\n time defending this position or explaining it. He just states this as a\n fact. And I agree with him \u2013 for SysAdmins. We don\u2019t need the training \nwheels in order to do our jobs. In fact they get in the way.<\/p>\n\n\n\nSome distros, such as Ubuntu, use the sudo command in a manner that \nis intended to make the use of commands that require elevated (root) \nprivileges a little more difficult. In these distros it is not possible \nto login directly as the root user so the sudo command is used to allow \nnon-root users temporary access to root privileges. This is supposed to \nmake the person a little more careful about issuing commands that need \nelevated privileges such as adding and deleting users, deleting files \nthat don\u2019t belong to them, installing new software, and generally all of\n the tasks that are required to administer a modern Linux host. Forcing \nSysAdmins to use the sudo command as a preface to other commands is \nsupposed to make working with Linux safer.<\/p>\n\n\n\n
Using sudo in the manner it is by these distros is, in my opinion, a \nhorrible and ineffective attempt to provide novice SysAdmins with a \nfalse sense of security. It is completely ineffective at providing any \nlevel of protection. I can issue commands that are just as incorrect or \ndamaging using sudo as I can when not using it. The distros that use \nsudo to anesthetize the sense of fear that we might issue an incorrect \ncommand are doing SysAdmins a great disservice. There is no limit or \nrestriction imposed by these distros on the commands that one might use \nwith the sudo facility. There is no attempt to actually limit the damage\n that might be done by actually protecting the system from the users and\n the possibility that they might do something harmful \u2013 nor should there\n be.<\/p>\n\n\n\n
So let\u2019s be clear about this \u2013 these distributions expect the user to\n perform all of the tasks of system administration. They lull the users \u2013\n who are really System Administrators if you remember my list from \nChapter 1 \u2013 into thinking that they are somehow protected from the \neffects of doing anything bad because they must take this restrictive \nextra step to enter their own password in order to run the commands.<\/p>\n\n\n\n
Bypass sudo<\/h2>\n\n\n\n
Distributions that work like this usually lock the password for the \nroot user and Ubuntu is one of these distros. This way no one can login \nto root and start working unencumbered. \u2026<\/p>\n\n\n\n
Note:<\/strong> I have deleted experiment 19-1 to save space. <\/em><\/p>\n\n\n\nPlease do not misunderstand me. Distributions like Ubuntu and their \nup- and down-stream relatives are perfectly fine and I have used several\n of them over the years. When using Ubuntu and related distros, one of \nthe first things I do is set a root password so that I can login \ndirectly as root.<\/p>\n\n\n\n
Valid uses for sudo<\/h2>\n\n\n\n
The sudo facility does have its uses. The real intent of sudo is to \nenable the root user to delegate to one or two non-root users, access to\n one or two specific privileged commands that they need on a regular \nbasis. The reasoning behind this is that of the lazy sysadmin; allowing \nthe users access to a command or two that requires elevated privileges \nand that they use constantly, many times per day, saves the SysAdmin a \nlot of requests from the users and eliminates the wait time that the \nusers would otherwise experience. But most non-root users should never \nhave full root access, just to the few commands that they need.<\/p>\n\n\n\n
I sometimes need non-root users to run programs that require root \nprivileges. In cases like this I set up one or two non-root users and \nauthorize them to run that single command. The sudo facility also keeps a\n log of the user ID of each user that uses it. This might enable me to \ntrack down who made an error. That\u2019s all it does; it is not a magical \nprotector.<\/p>\n\n\n\n
The sudo facility was never intended to be used as a gateway for \ncommands issued by a SysAdmin. It cannot check the validity of the \ncommand. It does not check to see if the user is doing something stupid.\n It does not make the system safe from users who have access to all of \nthe commands on the system even if it is through a gateway that forces \nthem to say \u201cplease\u201d \u2013 That was never its intended purpose.<\/p>\n\n\n\n
\u201cUnix never says please.\u201d<\/p>Rob Pike<\/cite><\/blockquote>\n\n\n\nThis quote about Unix is just as true about Linux as it is about Unix. We SysAdmins login as root when we need to do work as root and we log out of our root sessions when we are done. Some days we stay logged in as root all day long but we always work as root when we need to. We never use sudo because it forces us to type more than necessary in order to run the commands we need to do our jobs. Neither Unix nor Linux asks us if we really want to do something, that is, it does not say \u201cPlease verify that you want to do this.\u201d<\/p>\n\n\n\n
Yes, I dislike the way some distros use the sudo command.<\/p>\n","protected":false},"excerpt":{"rendered":"
I was just reading a very interesting article that contained some good information about a Linux feature that I want to learn about. I won\u2019t tell you the name of the article, what it was about, or even the web…<\/p>\n
Read more →<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"parent":677,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-5615","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"http:\/\/www.linux-databook.info\/index.php?rest_route=\/wp\/v2\/pages\/5615","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.linux-databook.info\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"http:\/\/www.linux-databook.info\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"http:\/\/www.linux-databook.info\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.linux-databook.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5615"}],"version-history":[{"count":3,"href":"http:\/\/www.linux-databook.info\/index.php?rest_route=\/wp\/v2\/pages\/5615\/revisions"}],"predecessor-version":[{"id":5618,"href":"http:\/\/www.linux-databook.info\/index.php?rest_route=\/wp\/v2\/pages\/5615\/revisions\/5618"}],"up":[{"embeddable":true,"href":"http:\/\/www.linux-databook.info\/index.php?rest_route=\/wp\/v2\/pages\/677"}],"wp:attachment":[{"href":"http:\/\/www.linux-databook.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5615"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}