How is sudo safer than directly using su if the user is granted access to all commands?

command-line sudo security administrator

13,788

Solution 1

Personally I do not necessarily consider it safer and most of the benefits (of sudo) are on a multi user system. On a single user system it probably is a wash.

The benefits are (in no particular order):

sudo has superior logging. sudo logs each command.
sudo allows finer grain control. One can configure sudo to give root access to some but not all commands.
sudo uses the login password. This protects having to give the root password (as you would with su) and is related to the point above regarding finer grained control / access to root.
In Ubuntu, by default, the root account is locked. This deters crackers as to log in (remote via say ssh) they have to guess both a user name and a password. If the root account is not locked, as is the case with su, then they only need to crack root's password.
sudo -i is probably the best method to isolate root's environmental variables from your user. This comes up from time to time but is moderately esoteric. See https://help.ubuntu.com/community/RootSudo#Special_notes_on_sudo_and_shells
some people feel that having to type sudo before every command they wish to run as root or having sudo time out allows them to stop and think more clearly and reduces their errors or running erroneous commands. If doing so helps you that would be a benefit as well.

There are probably more benefits , but, those are the major ones, IMHO.

To try to answer some of your other thoughts:

There is nothing about either su or sudo that prevents you running malicious code as long as you know the password. Neither is safer or better.
Crackers can obtain shell access via a number of methods. When you see "run arbitrary code" in a security notice - https://usn.ubuntu.com/usn/ - that means a cracker can run /bin/bash or any other code. Thus a cracker, via various exploits, can obtain shell access without knowing your login name or password. Neither sudo or su helps with this.
If a cracker has shell access they can do a lot of damage without root access. For example the ransomware that encrypts all your personal data.
If a cracker has shell access to an account with root access, via either su or sudo, the cracker can obtain root access via a number of methods beyond the scope of this discussion. Neither sudo or su is superior in this respect either.

So while you have observed problems or flaws with sudo, su has the exact same vulnerabilities and su is not superior to sudo in those aspects, IMHO

Solution 2

Imagine you have 20 minutes to do something complex. You’re a bit hungover and you have to rush. “Let’s use su” you say. “It’ll save some time” is your reasoning.

By accident you type

rm -rf /*

instead of

rm -rf ./*

Your system is now bricking itself and you have 10 minutes until your deadline.

If you explicitly choose when you need root, you can minimise the chance of this happening. Root might not be needed for rm -r ./* so why use it? Why take the risk?

That’s what “safety” means here. Minimising the risk of users (all users, not just beginners) making a fatal mistake.

Of course, this is an extreme example that shouldn’t be allowed to happen in a production environment (I guarantee it has happened in a prod environment).

Security wise there’s some stuff that sudo is better for too. As @Panther says - logging, restrictions, root password is SPOF, etc.)

Solution 3

I want to add a bit of historical perspective to the other answers. Unfortunately, I do not have any sources ready except for my own memories of Usenet discussions and magazine articles.

Some time ago, in the 1990s, distributions were making it easier to install Linux on your own hardware, even with not much computer knowledge.¹ Thus, Linux started to attract more and more people that surprisingly had not previously been drilled as system administrators on some UN*X dialect. Instead, many were used to (single user) systems like Windows 95/98. And they learned that most Linux system administration tasks made it necessary to work under that strange "root" account.

Thus, some users just logged in as root and used that account for all their daily work. Why should they have to type su and the root password again and again or login into a new tty just for some admin commands? But using root for everything is of course not a good idea, as you could do a lot more harm to your system with some unmindful command in the wrong place. This even led some distro (was it SuSE?) to modify the desktop background for the root user to display a big warning that you should use that account only for admin tasks.

So, the Ubuntu way with sudo has some advantages (in addition to those already listed by Panther).

You cannot directly login to the root account.² :-)
The installation process will not ask you for an (additional) root password, you need only one (your user's) password.
sudo caches your credentials, so for multiple admin commands in sequence, you only have to enter your password once (in contrast to su). This reduces the urge to just open a shell or a new terminal with root privileges.
And it makes it easier to tell users online and in documentation which commands they have to enter as admin and which not.³

¹ And for those not daring to do it themselves, there were install parties.
² But you can use a command like sudo -i or sudo su - root to get a root shell after you logged in as a normal user.
³ But you know of course that you should not simply copy&paste commands from the Internet, right?

Solution 4

It has been possible to disable root login through ssh for decades. The Ubuntu way of disabling the root account and making people sudo everything is nothing more than a gimmick. Just "sudo -s" and you have a root shell. Disable root login through ssh and leave it there.

View more solutions

13,788

bmcentee148

Updated on September 18, 2022

Comments

bmcentee148 over 1 year

So I've been reading into the differences between using su and sudo, and everyone seems to be in agreement that the sudo approach is safer than allowing access to the root account itself. They say that with the root account you could break your entire system with just a single command. This I understand. BUT the initial user created on the system also has access to all commands using sudo. This I can find out by running su -l. If this is the case, then I can simply run sudo <game-ending command> to ruin my system. So how is this approach better or safer then allowing me direct access to the super user account? I can run all of the same commands...

Is it because using sudo on the command line I am explicitly telling the computer I think I know what I am doing? Do they think people will forget they are under the super user account unless they explicitly say so?

People also state that if the system were compromised and entered by someone foreign, being under the root account would allow them to do terrible things to my system. But it seems to me if they already have access to my account, and know my password, they can do these same terrible things by using sudo and entering my password since they don't even need to know the super user's password. What am I not getting here?
- mattdm about 6 years
  
  See Which is the safest way to get root privileges: sudo, su or login? on Unix & Linux Stack Exchange
- user253751 about 6 years
  
  Thanks for creating this question, so now there's something to show to the people who keep saying sudo is safer but can't justify it.
mckenzm about 6 years

It would be good to have an opt in to allow all users power (poweroff and reboot) control upon destop inatallation, rather than sudoers entries or having a group name.
rackandboneman about 6 years

...on that note, going key-only for ANY ssh logins, not just the root account, IS great practice.
rolinger about 6 years

I believe the biggest advantage is having to justify each command as needing superuser permissions. I found in my early experience with Linux that I tended to always end up running as root in at least one terminal as I tinkered with the system. Unfortunately, it is very easy to issue a destructive command at the terminal by misunderstanding or mistyping. If that was in the 'root terminal' it could result in a restore from backup or reinstall. sudo has protected me from that many times!
vaquito about 6 years

Not compromising the root password is perhaps the single greatest advantage of sudo. You can give root permission without revealing any secrets.
Pryftan about 6 years

Not only can you restrict commands but you can even restrict arguments specified. But I disagree that root being locked has anything to do with it; because you can configure ssh to not allow root login. There's something else though with su versus sudo: sudo you use your user password which is one fewer passwords to be compromised and that's typically not a good thing. Like everything in this world there are different ways to go about something and that doesn't mean one way is more correct than the others 100% of the time if ever. Then there are preferences.
Pryftan about 6 years

But otoh if it's more than one user needing root access (which is not something I'll get into because that's just - well it's a heated discussion at best) then sudo has an advantage there.
Pryftan about 6 years

Hell, you don't need to wait that long if you just do... chown -R nobody:nobody / or even chown -R nobody ../ as root. chmod of course has similar problems too in recursive mode. But the best point you make is that you should only be root when you need that; the less privilege your login is the better for normal use.
Pryftan about 6 years

Are you saying in Ubuntu that you can't do: sudo su - or sudo su - root ? Because I've seen similar claims e.g. that MacOS X doesn't have root but that's completely wrong when one need only do the first command...
Pryftan about 6 years

Yes. I noted this in a comment just a few minutes ago. Otoh being least privileged is best over all so only elevate when you need to and this goes for whether you're logged in by ssh or locally. And what @rackandboneman says is of course absolutely correct too though for me I disable remote root full stop even with ssh keys regardless of system.
Pryftan about 6 years

And specific arguments to the commands, too.
Dubu about 6 years

Of course there is a root account. I said you could not "directly login", meaning you cannot enter the user root and a password at the login prompt or the X login dialog and start your session as root. But you can use one of your commands (I prefer sudo -i as it's shorter and I'm lazy) to get a root shell.
Pryftan about 6 years

Please read my comment again :) I said that some say MacOS X doesn't have a root account but in fact it does and it reminded me of this (I did not equate it to there being no root account in Ubuntu). But for all I know the devs at Ubuntu were crazy enough to patch sudo to not allow that hence my question.
Dubu about 6 years

@Pryftan As I said in my comment above, both of your commands work and will get you a root shell. I will add that to my answer.
lightsong about 6 years

+1 for programming when you're hungover though.
ilkkachu about 6 years

Not having a password for root as a deterrent for brute-force password guessing is a total red herring, it's trivial to prevent direct logins as root on the SSH server. Actually, the default seems to be PermitRootLogin prohibit-password, so only SSH keys are allowed anyway.
ilkkachu about 6 years

Then, I would argue that using the user's login password to access higher privilege is not automatically a good thing. Having to enter a distinct password would at least act as a sort of a reminder that you're doing something more critical. Also, if that password is not used as often as the user's regular password, it's less prone to shoulder-surfing attacks etc. (Though getting your regular password shoulder-surfed does open possibilities to get to the root password, too.)
ilkkachu about 6 years

So, how is this different with sudo? You write sudo rm -rf /* instead of sudo rm -rf ./* and boom again.
ilkkachu about 6 years

1. Only if you take the time to configure it properly. Which the default Ubuntu system doesn't do (and can't do). 2. Only if the user has no way of editing the logs post-fact, which they can unless the commands they can run are limited. (Which it isn't in the default Ubuntu use case)
dijksterhuis about 6 years

@ilkkachu in terms of the actual command, it makes minimal difference to what happens. But you’ve had to explicitly state that you want to do this as root. That’s the point. Safety is about risk management. Of course you can still brick the system. But the less time you have root privileges, the less chance of making a fatal mistake. Safety is all about minimising the probabilities.
ilkkachu about 6 years

@dijksterhuis, sudo doesn't protect you from mistakes you make because you're hungover and/or in a rush. If the task at hand requires root privilege, you'll have your chance of making typos. For example, if the directory you're removing here belongs to some service, and isn't accessible (removable) to your normal user account. Of course, if you don't need root privilege, then you shouldn't use either of su or sudo to begin with.
dijksterhuis about 6 years

@ilkkachu no sudo vs su doesn’t protect you. Best practices do though. That’s my entire point. In my example I was lazy and used su for everything. That’s not best practice. Hence why it’s risky.
Panther about 6 years

@ilkkachu - What you say is true and there is nothing wrong with using su if you prefer for the reasons you state. FWIW just as you can configure ssh, you can also configure sudo, and, depending on your needs, the ability to limit what commands can be run with sudo and the superior logging are the main points. Also keep a historical perspective. sudo was developed at a time when ssh, by default, did absolutely allow root logins via password by default (some still so). IMHO you have to look at the entire package as well as a historical perspective. also desktop vs server vs multi user ...
Panther about 6 years

@ilkkachu , although you have some good points, your argument here makes no sense here. The point is not the default settings, the point is it is possible to configure and fine tune sudo. You can not configure su to act these ways at all. su is all or none, there is no way to limit commands and it is a matter of fact that sudo provides superior logging. Neither su or sudo offer any security against what a cracker may or may not do on a compromised system, and no one held sudo out in this way. The sudo logs have great value in normal day to day operations.
Panther about 6 years

And per group rather than per user. using groups is invaluable in multiuser environments were staff may come and go and where you may need specific roles.
ilkkachu about 6 years

@Panther, well, the question title says "...if user is granted access to all commands?" so I did assume they meant the usual default Ubuntu configuration where sudo allows everything. Sure, you can configure it to limit the commands a user is allowed to run, but I don't think that's the case in the question as asked.
Ray about 6 years

@ilkkachu Because you wouldn't type sudo rm -rf ./*. You presumably have write access to the stuff in the current directory, so you don't need sudo for that command. So the typoed command ends up being rm -rf /*, which yields a long string of "Permission denied" messages, letting you know you need to ctrl-c before it gets to the stuff you can actually delete, instead of just deleting everything in /bin, /boot, /dev, and half of /etc before you even realize something is wrong.
Pryftan about 6 years

Yes. I know that :) I wasn't saying that it was false or not the case. I was saying that it reminded me of something some people say but are incorrect in saying. Hence making bold that part.
Ben Aveling about 6 years

Answer expanded.
Panther about 6 years

@ilkkachu - re-read my answer "Personally I do not necessarily consider it safer and most of the benefits (of sudo) are on a multi user system. On a single user system it probably is a wash." I then went on to explain the other advantages of sudo, one of which is that it is configurable.