My personal and biased view of sudo versus su

May 15, 2014

I am an old fashioned Unix sysadmin so I have not really become very enthused about using sudo as a replacement for su. I could make lots of excuses for this but what it boils down to is that I'm very used to using su and I haven't felt like trying to readjust my entire set of reflexes and my environment to using sudo instead. This doesn't mean that I don't like sudo or that I don't use it at all. Instead I merely use sudo as a replacement for what would otherwise be setuid programs (what I listed as the first face of sudo in my entry on the three faces of sudo).

Part of this is what I see as a weaker sudo security model. Part of this is because some amount of my work involves directly logging in to systems as root already, either because of the System V init environment leakage issue for restarting services (also) or because we simply haven't set up user accounts on all of our systems (eg OpenBSD firewalls). But a lot of this is just habit, my cultivated usage patterns, and what I see as additional friction on the part of using sudo.

One large part of my usage patterns is that I mostly don't intersperse operations that can be performed as an ordinary user and operations that need root powers. If I need to do a run of operations as root, adding sudo to the front of all of them would be additional friction. If I only need to do one or two operations as root I'll usually then immediately discard the root shell, because I am a disposable usage pattern person. I almost always have root shells in their own windows and I mark those windows to make them very distinctive (I mentioned it here); I think it would actually make me nervous to have sudo powers in an otherwise unmarked and undistinguished shell session.

(I do keep some root shells lingering around but these are for specific periodically repeated operations when I want to hold on to context and where repeatedly re-typing the root password would irritate me too much. They're also on my personal machines instead of any of our servers.)

So on the whole I could switch to sudo but it would be a pain in at least the short term, it would require changing how I do things, it might make the practical security issues somewhat worse, and I'm not convinced I would get much benefit from it.

All of this neglects two and a half separate elephants in the room. The first elephant is that sudo is less universally available than su is. Every Unix machine we'll ever use at work has su; not all of them supply sudo natively. The second elephant is the opinions of my co-workers. Partly because of the first elephant, my co-workers are highly likely to be no more receptive to switching to sudo than I am. Switching by myself is somewhere between pointless and quixotic (even if I switch purely on my home and office workstations) and unless I persuade my co-workers not just to switch but to change work patterns like logging in directly as root it's not likely to give us any particular benefits (which of course makes it that much harder a sell to my co-workers).

I don't necessarily think this is the ideal thing and I don't particularly advocate my approach here to anyone else. But my environment is what it is and today I feel like being honest about it.

(One little pragmatic downside of switching to sudo would be a drastic increase in sudo warning emails as we'd probably routinely fumble-finger the applicable password.)

PS: Please note that if you're using sudo audit logs to assign blame for particular bad things that happen on your machines, you're doing it wrong (also). This is one reason I don't find audit logs to be a particularly compelling advantage for sudo, especially because a crisis is both the time when you might most need audit logs (due to people's fallible memory under pressure) and also the time when people are most likely to wind up logging in directly as root because nothing else works.

Written on 15 May 2014.
« Modern mail forwarding is leaky
Some notes from migrating towards encrypted SSH keys »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu May 15 00:08:45 2014
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.