Miah Johnson
I posted this poll because I was curious how many people know what `sudo` actually does.
It seems many think it is distinctly different than `su`.
`sudo` and `su` are effectively the same tool. They are both setuid binaries that allow you to change your effective uid from whatever it is now, to something else.
Using either tool, you can switch to another user, and that other user may also be root.
Miah Johnson
I guess my last point on this is, if your system has sudo or doas, you never need to touch su. sudo and doas supersede su.
=)
Kit Rhett Aultman
@miah Thank you for the fascinating thread, as I was taught "sudo su -" as a set incantation, and while I could read it and know it was...weird...I also just accepted it. I come from an era before sudo, when you'd just type "su" to get a root shell, and it was common to call it "superuser" and not "switch user". I wonder if "sudo su -" started as a poorly considered "workaround" to use "su" in it's older way once sudo became common.
Miah Johnson
`sudo su` is always the least correct way to get a shell though. Effectively, you are doing:
"switch user, switch user". You only need to do this once, and sudo can do it for you via `sudo -Hi`.
But what if the user doesn't have a shell set? Or users /sbin/nologin as their shell?
Then you can `sudo -u user /bin/bash` and well, you lose all auditing ability but now you can do things as that nologin user. This works similarly with doas, and su of course.
Miah Johnson
If you're on OpenBSD (and probably other BSD's) you likely have doas(1) instead of sudo. Its _almost_ the same thing. The configuration file ditches EBNF for a more forward approach. It doesn't have LDAP support that I am aware. Its very _simple_ and works.
You can find docs in doas.conf(5) and here is an example:
`permit nopass tedu as root cmd /usr/sbin/procmap`
Miah Johnson
Both sudo and doas give you good logs for auditing who did what and when.
su logs too but as most people just jump to a shell its less useful.
Allowing shell execution via sudo, or doas will also mean you lose fine grained audits, which is where their configuration power comes in handy. As now you're specifying exactly what people can do, and that is what gets logged.
Miah Johnson
I've had to trim a bit from these to fit in the mastodon post length, so refer to sudoers(5) for more details.
The point being, that you can create a curated list of commands, arguments, and users that can be used through sudo. Its not just a tool to 'give me a root shell', its a tool to give users limited access to commands.
This can be extremely powerful if you need to let users who don't really know UNIX into a system to execute some commands with more privilege.
Miah Johnson
Of course the sudoers file also allows you to bind to LDAP too, so you can actually store the entire ruleset in a single location to be used by all of your systems without any 'configuration management'.
LDAP gives you some other features that typically come with configuration management too, like auditability of who made changes and when, as well as the ability to store diffs as changes and go through an approval process.
Everybody hates LDAP for reasons.. But its fine. Its good actually!
Miah Johnson
A /etc/sudoers example from the man page:
The user tcm may run commands that access a modem device file with the dialer group:
`tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
/usr/local/bin/minicom`
Miah Johnson
Another /etc/sudoers example from the man page:
The operator user may run commands limited to simple maintenance. Here, those are commands related to backups, killing processes, the printing system, shutting down the system, and any commands in the directory /usr/oper/bin/.
`
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Cmnd_Alias REBOOT = /usr/sbin/reboot
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/`
Miah Johnson
sudo is 'Switch User and Do'. You can still do all of the same things that you can with su, but you can also build a ACL that specifies what users, commands, and arguments a user is allowed to invoke.
The /etc/sudoers file is described using Extended Backus-Naur Form (EBNF) rules. Most people just add their user with a glob. Something like this:
`miah ALL=(ALL:ALL) ALL`
But you can go MUCH MUCH more complex. I'm going to use some examples from the man page.
Miah Johnson
So why do we need sudo if we have su?
Well, su is very basic. You can 'Switch Users' (su). That's basically all there is to it. You can switch users, and invoke a shell. You can switch users and execute a command. You can pass some arguments to maybe inherit the environment or set $HOME appropriately. But thats basically it for su(1).
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.