On the Utility of sudo
I recently had a bad bout upgrading php on two servers from php-4 to php-5. The confusion lay not in the differences between the two, but in how the Linux distribution I use handled these packages. In the end the user forums came to the rescue, and with a little poking around I was able to figure out how to get past the problems I was having.
But again I was struck by the directions in most of the FAQs and forum threads. It seems as if a large number of people running UNIX systems in general, and Linux systems in particular, log in as root to do the bulk of their work. To this day this makes me shudder.
Long, long ago in a career far, far away I ran UNIX machines for a living. Before anyone chuckles their superior all-knowing chuckle and says, "You mean you ran Linux systems," keep the chuckle to yourself. I've run SGI, Concurrent, Sun, IBM, HP, DEC, OpenBSD, and yes, Linux systems. I've been around the block a few times. Early on in my career one of my first mentors disabused me of the notion of logging in as root. Ever. EVER. It was good advice then, and it's good advice now.
Back then the work-around we used was the su command. This allows you to switch what UID you are logged in as. su - root is a quick way to become root, though you need to authenticate using the root password in order for it to work. Not perfect, but at least we had a timestamp in the system logs to indicate someone was dinking around as root. That way when things messed up, we could go back and see who to call.
This was in the day when quarter inch cassettes were considered state of the art. A 1GB disk cost a king's ransom, and a single CPU could serve a large research group. Times changed, and so did the tools. Not many years after this, OS distributions came on CDROM, X-Terms began going by the wayside, and beefy desktops became the norm. Around this time, some wonderful people wrote the sudo command.
sudo lets you run a single command as root. There are two advantages to using this over the old su - root trick: First and foremost, each command is logged. That way when things go wrong you not only know who to call, you know what they did before they ever answer the phone. The other advantage is that you no longer authenticate using root's password: you use your own.
There are other advantages as well. With sudo you can say what commands each person can run, what machines they can run them on, what files they can run them against, etc. It sets up an entire hierarchy of trust relationships between systems and people. Once someone's role on a particular machine is defined, setting up sudo rights so they can do that and only that is fairly straightforward.
Needless to say, once it became available I used it. It made managing machines easier at work, and it's how I ran my machines at home. Everyone around me used it as well, so I began to take it for granted.
Then I changed jobs --
Oh.
People were logging in as root, leaving themselves logged in, and going to lunch! I was apalled. So when the edict came down from on high that we were to mend our ways and be more security-conscious, I was more than happy to deploy sudo across all our servers. Most people took to it. Some did not. In particular application owners like the webmasters were particularly offended by the new scheme. Makes perfect sense, actually. We were stripping them of their rootly priveleges and leaving them with only those commands they actually needed to have in order to perform their job functions.
So they bitched. They moaned. They threw fits at upper management. And... they threw fits at us. Woe betide the person who tells me that having to type "sudo " at the beginning of each privileged command is just too haaaaaard! "I've been doing this at home for the last five years," I told them. Without exception their response was, "Bullshit!" Fine, but I was telling the truth and was happy to show them my logs to prove it. I still use it at home, and if I was still in the industry I'd use it at work, too. The advantages it offers simply outweigh any supposed drawbacks it might have.
And you'd be amazed the things those web admins would try to run after hours! Which leads me to the subject of actually looking at system logs. But that's another story...
-- Pencil
But again I was struck by the directions in most of the FAQs and forum threads. It seems as if a large number of people running UNIX systems in general, and Linux systems in particular, log in as root to do the bulk of their work. To this day this makes me shudder.
Long, long ago in a career far, far away I ran UNIX machines for a living. Before anyone chuckles their superior all-knowing chuckle and says, "You mean you ran Linux systems," keep the chuckle to yourself. I've run SGI, Concurrent, Sun, IBM, HP, DEC, OpenBSD, and yes, Linux systems. I've been around the block a few times. Early on in my career one of my first mentors disabused me of the notion of logging in as root. Ever. EVER. It was good advice then, and it's good advice now.
Back then the work-around we used was the su command. This allows you to switch what UID you are logged in as. su - root is a quick way to become root, though you need to authenticate using the root password in order for it to work. Not perfect, but at least we had a timestamp in the system logs to indicate someone was dinking around as root. That way when things messed up, we could go back and see who to call.
This was in the day when quarter inch cassettes were considered state of the art. A 1GB disk cost a king's ransom, and a single CPU could serve a large research group. Times changed, and so did the tools. Not many years after this, OS distributions came on CDROM, X-Terms began going by the wayside, and beefy desktops became the norm. Around this time, some wonderful people wrote the sudo command.
sudo lets you run a single command as root. There are two advantages to using this over the old su - root trick: First and foremost, each command is logged. That way when things go wrong you not only know who to call, you know what they did before they ever answer the phone. The other advantage is that you no longer authenticate using root's password: you use your own.
There are other advantages as well. With sudo you can say what commands each person can run, what machines they can run them on, what files they can run them against, etc. It sets up an entire hierarchy of trust relationships between systems and people. Once someone's role on a particular machine is defined, setting up sudo rights so they can do that and only that is fairly straightforward.
Needless to say, once it became available I used it. It made managing machines easier at work, and it's how I ran my machines at home. Everyone around me used it as well, so I began to take it for granted.
Then I changed jobs --
Oh.
People were logging in as root, leaving themselves logged in, and going to lunch! I was apalled. So when the edict came down from on high that we were to mend our ways and be more security-conscious, I was more than happy to deploy sudo across all our servers. Most people took to it. Some did not. In particular application owners like the webmasters were particularly offended by the new scheme. Makes perfect sense, actually. We were stripping them of their rootly priveleges and leaving them with only those commands they actually needed to have in order to perform their job functions.
So they bitched. They moaned. They threw fits at upper management. And... they threw fits at us. Woe betide the person who tells me that having to type "sudo " at the beginning of each privileged command is just too haaaaaard! "I've been doing this at home for the last five years," I told them. Without exception their response was, "Bullshit!" Fine, but I was telling the truth and was happy to show them my logs to prove it. I still use it at home, and if I was still in the industry I'd use it at work, too. The advantages it offers simply outweigh any supposed drawbacks it might have.
And you'd be amazed the things those web admins would try to run after hours! Which leads me to the subject of actually looking at system logs. But that's another story...
-- Pencil
posted by pencil at 2:15 PM
0 Comments:
Post a Comment
<< Home