Save space with "sudo -i" vs "su"

From your NSA document:

Note that sudo allows any attacker who gains access to the password of an administrator account to run commands as root. This is a downside which must be weighed against the benefits of increased audit capability and of being able to heavily restrict the use of the high-value root password (which can be logistically difficult to change often)

Essentially they are reverberating a very very very important point. It's not "which is better, sudo vs su". It's that "sudo" is considered best practice.

Best practices is a term that is often mistakenly interpreted to mean that "this is the way you do it". That is incorrect. Best practices refers to the first consideration you should have when designing a system and it should be heavily considered as your main option, but make sure you read the details and make an informed decision on your circumstances.

There are circumstances where sudo is not preferred. In fact, I use both for different circumstances. I run many KVM instances with an LDAP account that has sudo access on all of the VMs. This LDAP account also authenticates to the hypervisor. The reasoning for using LDAP and not a separate account for my user on the hypervisor is that in the future I will be implementing 2FA on LDAP, and wish to benefit from the 2FA on the hypervisor.

This, however, poses a security risk. If an attacker gains root control of a VM, they will be able to capture my user's password. If I use sudo on the hypervisor, then that means simply gaining root on the VM means gaining root on the hypervisor. For that reason, I use su on the hypervisor and type a root specific password on the hypervisor.

Granted, there are other countermeasures in place such as firewalls to prevent people from gaining root, but this simplifies their attack significantly. Also to note, using LDAP like this also would mean gaining root in one VM gains root in all other VMs. I personally believe hypervisor security is the most important and should be protected to higher standards, though.

/r/linux Thread