Just a basic curiosity I had so I can better understand how this is meant to work: I noticed that on systems where the user and root passwords differ sudo will ask for the user pass. I was always under the impression it required the password of the root account instead since you’re invoking an action through it. It also seemed more secure as you’re required two passwords to make system changes, your user password as you need to be logged in then the root password for su commands… then again if you know the root password you can login as root directly so not much of a benefit.
Is this an universal decision in all distributions? And is it indeed the most secure way? I’m fine either way personally, just curious if this is a design choice everywhere and why it was taken.
All distributions don’t think that way, PClos for exemple don’t install sudo as default, and it’s a fight to install it after distro install, here’s their arguments, wich make sens, both sides have their arguments: http://www.pclinuxos.com/forum/index.php/topic,90479.0.html
su stands for “substitute user” and defaults to the root account if no other user account was specified. It normally also requires the root password, or the password of the user you’re trying to switch to.
sudo on the other hand is more flexible in that it allows for role-based access control, whereby one user would be able to perform certain administrative tasks, but not all, and another user would have other administrative tasks at their disposal, but again not all.
The way most distributions set up sudo is less secure, because it is set up by default to ask for the user’s own password ─ this can however be changed via /etc/sudoers ─ while allowing the user full access to all administrative functions.
This silly idea originated at Ubuntu, and from there it has propagated onto other distributions, starting with Mint and other Ubuntu derivatives, and from there to Ubuntu’s upstream ─ i.e. Debian ─ and then onto other distributions. But not all distributions have adopted that. PCLinuxOS for instance carries sudo in its repositories, but refuses to install it by default.
Of course, not everyone can use sudo or su. In Manjaro concretely, the user has to be a member of the wheel group in order to be allowed to use su, and for sudo, the user must be listed in /etc/sudoers, but Manjaro sets up /etc/sudoers so that all members of the wheel group have sudo access. By default however, this will only be the first user account created at installation time ─ subsequent user accounts do not automatically become members of the wheel group.
Superuser access from within the GUI is handled through polkit, and members of the wheel group only need to enter their own password. And everything security-related depends on the settings in the pam framework.
Personally, I have disabled all direct root logins, whether at a tty, in the GUI, or even remotely. However, I did not disable the root password, as is common in Ubuntu and derivatives, or in Manjaro if you use the same password for the root account as for your regular account. So I can still use su, but root cannot log in directly. I have also set up sudo to require the password of the target user account, rather than my own password.
Thanks, this clarifies it better. So the configuration does differ per distribution. It’s interesting to look at the balance between convenience and security Manjaro strikes with its configuration.
My concern would be that you can preform root actions with either of two passwords: su as root if you know the root password or sudo as user if you know the user password (of a sudoer). One would think it should be just one of the two so an attacker can’t preform system actions if they figure out either password. Both su and sudo are convenient so dumping either would probably be an annoyance: Would be nice if at least SSH could disallow root logins and preform only as user.
