9

Which approach is better?

For desktop usage, it seems that sudo is better since:

  • I can have a more consistent history as a normal user
  • Don't need to remember two passwords, which is especially true when I don't do administrative stuff regularly.
  • No need to create an additional root account on installation.

But about in server management?

In server usually you already have a root account created and you are likely to do administrative stuff often. So the advantages of sudo seem no longer hold.

What's more, it's easy to configure su on command line in most distributions, just add the user to the wheel group. (You can even pass -G wheel when useradding.) Thus configuring su can be easily automated into shell scripts.

But for sudo? You need to first add the user, than run visudo interactively. This is bad since you cannot automated it into shell scripts.

(Well, you can. For example,

echo '%wheel    ALL=(ALL)   ALL' >> /tmp/sudoers.tmp
cp /etc/sudoers /etc/sudoers.old
visudo -c -f /tmp/sudoers.tmp &&  mv /tmp/sudoers.tmp /etc/sudoers

But at least it is not that easy.)

So what's your opinions? For a server environment, which will you prefer, sudo or su root?

weakish
  • 211
  • 2
  • 7
  • This should be a wiki, otherwise it's likely to get closed because it's far too subjective. – John Gardeniers Dec 27 '09 at 01:43
  • I don't think it's far too subjective. Just like Raphink's excellent answer shows, in a multiple user environment, sudo is preferred. – weakish Dec 27 '09 at 09:20
  • I don't think it's a subjective question at all. It's not about whether you like sudo or not, but whether it's adapted to one use or another. – raphink Dec 27 '09 at 18:55
  • By the way, I'm also a bit surprised at your `visudo -c` command, as I believe you need `visudo -c -f` to check a specific file. – raphink Dec 27 '09 at 18:57
  • @Raphink yes, you're totally right. I've edited my question. – weakish Dec 30 '09 at 01:15

2 Answers2

16

The root account is necessary on servers for sure, but I prefer granting sudo rights, especially when there are several users on the machine, and this for several reasons:

  • I don't use sudo only to grant ALL rights for ALL commands, but also to grant specific rights as a specific user to specific commands.
  • By assigning users to functional groups, I can manage their rights with these groups in sudoers instead of managing users individually.
  • sudo accesses are logged in auth.log by default, including which users used sudo at what time.
  • sudo allows to manage the configuration for several machines with one file.
  • each user keeps their own password, so there is no need to change the root password when a user leaves.

As for managing it with scripts, new versions of sudo support inclusions, but I prefer to use puppet and set classes that concatenate sudoers contents.

Puppet can also be associated with Augeas to manage your sudoers file.

raphink
  • 11,987
  • 6
  • 37
  • 48
  • 4
    In fact I've not consider about a multiple users case. You are right, sudo is apparently a winner when there are multiple users. But for single user, I still think su is sufficient. P.S. Thanks for mentioning puppet. Just haven't aware of such cute tool before. – weakish Dec 26 '09 at 13:36
  • By the way, if you wish to validate your sudoers file before deploying it with puppet, I've got a validate function at hand which does that. – raphink Dec 26 '09 at 14:22
  • 1
    When using sudo, root doesn't even need to have a valid password as you only need to rely on the users' passwords. Along with not needing to change root password when someone leaves, you also have one fewer password that could be guessed/broken/hacked. – Shannon Nelson Dec 29 '09 at 09:39
  • @ShannonNelson I believe they're mentioning the root user and password as rented servers are usually provided with these. – AJP Jun 23 '13 at 22:25
1

You seem to be making things hard on yourself (when it comes to managing /etc/sudoers). A simple

echo '%wheel    ALL=(ALL)   ALL' >> /etc/sudoers

would suffice. All visudo does is lock the file against concurrent edits and ensure that the file still parses correctly.

rodjek
  • 3,327
  • 17
  • 14
  • I use visudo -c to check the file incase something is wrong. (Though it shouldn't. But maybe when I'm editing the sript I miss typed some character, or worse, include some special non visible special character.) But I agree, your one line solution is sufficient. – weakish Dec 26 '09 at 13:34