3. Save space with "sudo -i" vs "su"

Save space with "sudo -i" vs "su"

From your NSA document:

Note that sudo allows any attacker who gains access to the password of an administrator account to run commands as root. This is a downside which must be weighed against the benefits of increased audit capability and of being able to heavily restrict the use of the high-value root password (which can be logistically difficult to change often)

Essentially they are reverberating a very very very important point. It's not "which is better, sudo vs su". It's that "sudo" is considered best practice.

Best practices is a term that is often mistakenly interpreted to mean that "this is the way you do it". That is incorrect. Best practices refers to the first consideration you should have when designing a system and it should be heavily considered as your main option, but make sure you read the details and make an informed decision on your circumstances.

There are circumstances where sudo is not preferred. In fact, I use both for different circumstances. I run many KVM instances with an LDAP account that has sudo access on all of the VMs. This LDAP account also authenticates to the hypervisor. The reasoning for using LDAP and not a separate account for my user on the hypervisor is that in the future I will be implementing 2FA on LDAP, and wish to benefit from the 2FA on the hypervisor.

This, however, poses a security risk. If an attacker gains root control of a VM, they will be able to capture my user's password. If I use sudo on the hypervisor, then that means simply gaining root on the VM means gaining root on the hypervisor. For that reason, I use su on the hypervisor and type a root specific password on the hypervisor.

Granted, there are other countermeasures in place such as firewalls to prevent people from gaining root, but this simplifies their attack significantly. Also to note, using LDAP like this also would mean gaining root in one VM gains root in all other VMs. I personally believe hypervisor security is the most important and should be protected to higher standards, though.

/r/linux Thread
Previous
Next

Recently removed from /r/linux

Comepress - I built a tool to automatically convert all the PNG/JPG files in your web project into Next-Gen WebP format. Reduce image bundle size by 80% with Comepress, faster site loading for users and smaller project size for devs! RISC-V only takes 12 years to achieve the milestone of 10 billion cores, 5 years faster than ARM. 2025 = Year of the Linux desktop? None of my computers supports Windows 11. How are we preparing for the 2025 Tsunami of new Linux users? What has gone wrong with Linux culture? Linux in my Job Laptop 2 months since I switched from gnome to i3 from gnome Entire file ownership and permission system is nothing more than a hurdle for regular users Saw this and thought of the linux community Linux Timeline v20.10 a new age-based cli password manager Anyone in US using open source EHR software? RMS addresses the free software community SDL (very reluctantly) moving from mercurial to github Microsoft repo installed on all Raspberry Pi’s Chef cofounder on CentOS: It's time to open source everything

More Random Comments

[Poetry] South's in the house y'all Your world is your present consciousness I wanna read the most garbage book you can think of Hedy Lamarr, who’s scientific discoveries helped invent WiFi 1938 Turkey-Azerbaijan war against Artsakh [Day 44] Giving students a failing final grade makes me so anxious Someone keeps ringing my doorbell every day AITA for only preparing keto meals for my family? Weekly Chat - November 03, 2020 Expanding Campaign Timeline, Help Needed. These Sikh men tied their turbans together into a rope to save drowning girls in Canada Fox news cuts away from McEnany press conference: ‘I can’t in good countenance continuing showing this’ AITA for not wanting to use my inheritance on my kids? [Twitter] @hospital_porter: Ich bin müde (Thread, erstellt mit Threadreader) Veteran on Paul Decsi/TSM drama: "I've talked to a LOT of potential EU to NA imports this off-season and every single one of them said the same thing: they would only consider one of TL, C9...and yes, TSM."