Page 4 of 4 FirstFirst ... 234
Results 31 to 40 of 40

Thread: What is the each command's different merit between su and sudo?

  1. #31
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    20,223
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: What is the each command's different merit between su and sudo?

    Quote Originally Posted by Doug S View Post
    Disagree.
    Well, the permissions for ping disagree:
    Code:
    $ ll -F /bin/ping
    -rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping*
    ping always runs with root privilege as shown by the permissions. it is a setuid program.

  2. #32
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    20,223
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: What is the each command's different merit between su and sudo?

    sudoedit can be configured to use any editor you prefer, including GUi editors. it is extremely safe to do that if you like.

    Many admin commands really need to become habits to keep us from making mistakes. sudoedit is one of those habits to re-re-re-enforce as much as possible.

    The main reason to avoid using gui programs with sudo are because most guis have a bad habit of automatically saving config files without asking. nano, vim and pretty much every non-gui program doesn't misbehave in that way.

    if you can always remember to use sudo -H {gui-program} then those problems can be avoided, but screw up once and you could end up with an account that doesn't let you login. With enough experience, that problem is a minor inconvenience. For someone without experience, it probably seems like the entire system is broke and useless. it is all about file and directory permissions which are foreign ideas to most new users coming from Windows.

  3. #33
    Join Date
    Mar 2020
    Beans
    15

    Re: What is the each command's different merit between su and sudo?

    Hello, ActionParsnip.
    Although this thread is old one, you have checked and replied.
    Thank you!


    I heard Ubuntu is different to handling the root account from other distributions.


    Others allow users freely to log in as the root, don't they?

  4. #34
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    2,829
    Distro
    Ubuntu Development Release

    Re: What is the each command's different merit between su and sudo?

    Quote Originally Posted by TheFu View Post
    Well, the permissions for ping disagree:
    Code:
    $ ll -F /bin/ping
    -rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping*
    ping always runs with root privilege as shown by the permissions. it is a setuid program.
    My response was in reply to this:

    Did you know that a simple `ping' command must run as root?
    And I stand by the statement, and your own permissions example shows executable by anyone.
    And just try it, no sudo or root required. Example, with no "sudo" and not from a root prompt:

    Code:
    doug@s15:~/c$ ping google.com
    PING google.com (216.58.193.78) 56(84) bytes of data.
    64 bytes from sea15s07-in-f14.1e100.net (216.58.193.78): icmp_seq=1 ttl=120 time=22.1 ms
    64 bytes from sea15s07-in-f14.1e100.net (216.58.193.78): icmp_seq=2 ttl=120 time=21.7 ms
    64 bytes from sea15s07-in-f14.1e100.net (216.58.193.78): icmp_seq=3 ttl=120 time=21.9 ms
    I realize that the "s" (setuid) means set user ID upon execution, but fail to see the relevance to the question.
    Last edited by Doug S; 2 Weeks Ago at 02:21 PM.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  5. #35
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    20,223
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: What is the each command's different merit between su and sudo?

    That's odd. In 20.04, ping isn't setuid root.
    Code:
    -rwxr-xr-x 1 root root 72776 Jan 30 18:11 ping*
    https://www.reddit.com/r/linuxquesti...ypically_root/ says they are using setcap cap_net_raw+ep /bin/ping to allow ping to work without being setuid. VERY Cool.
    Code:
    $ getcap /bin/ping
    /bin/ping = cap_net_raw+ep
    Since the beginning of Unix (pre-1980), ping has been setuid root. I don't have an 18.04 system, so cannot check that, but on 16.04 the permissions most definitely are:
    Code:
    $ ll /bin/ping
    -rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping*
    So no su or sudo is needed, however that is because the ping command has "setuid root" file permissions. Take those away and it won't work. Ping runs with the "effective userid of root". The internal Unix process table has both the real (RUID) and the effective (EUID) userid. There's even a way to check when those are different. The "effective" owner of the process is 'root', not our userid for a microsecond.

    Use this ps command to see the RUID and EUID
    Code:
    $ ps -eo euser,ruser,suser,fuser,f,comm,label |egrep 'ping|LABEL'
    EUSER    RUSER    SUSER    FUSER    F COMMAND         LABEL
    tf       tf       root     tf       4 ping            unconfined
    Just like apache and nginx, ping "drops privilege" from root ASAP, which is why root is in the saved userid column. It starts up as EUID=root, opens the privileged network access, then drops back to the original userid. Any program connecting to any port under 0-1024 should do this. It is well-documented. Ping is just another one of those tools.

    https://en.wikipedia.org/wiki/Setuid
    Some of the tasks that require additional privileges may not immediately be obvious, though, such as the ping command, which must send and listen for control packets on a network interface.
    Appears a wikipedia editor should update that entry to reflect current ping using cap_net_raw+ep capabilities. All because the NSA wanted a more secure system and helped RH create SELinux. Perhaps not. Perhaps the kernel team was just following what commercial UNIX vendors had been adding since early Solaris releases.

    I learned a bunch of new stuff today. Thanks for the discussion.

  6. #36
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    2,829
    Distro
    Ubuntu Development Release

    Re: What is the each command's different merit between su and sudo?

    Quote Originally Posted by TheFu View Post
    I learned a bunch of new stuff today. Thanks for the discussion.
    Likewise. Thanks for taking the time to do the research and writing it up for all of us.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  7. #37
    Join Date
    Aug 2011
    Location
    51.8° N 5.8° E
    Beans
    5,232
    Distro
    Xubuntu 20.04 Focal Fossa

    Re: What is the each command's different merit between su and sudo?

    Quote Originally Posted by ActionParsnip View Post
    sudo vi file

    Too safe?
    sudoedit file will copy the file to a temporary location, then run the text editor as the normal user and after closing the editor, will copy the (modified) file back. Only the copy operation needs root permissions.
    sudo vim file will run the entire text editor as the root user. This means that the user can now edit other files as well and can even start a root shell. A user who can run sudo vim file can do everything on a system.

  8. #38
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    20,223
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: What is the each command's different merit between su and sudo?

    Quote Originally Posted by Impavidus View Post
    sudoedit file will copy the file to a temporary location, then run the text editor as the normal user and after closing the editor, will copy the (modified) file back. Only the copy operation needs root permissions.
    sudo vim file will run the entire text editor as the root user. This means that the user can now edit other files as well and can even start a root shell. A user who can run sudo vim file can do everything on a system.
    That's 1 example, but humans are crafty. Gotta learn to think like a hacker to understand some of the ways sudo can be abused. There are ALWAYS other methods. Always.

    As the sudo people create mitigations against 1 potential abuse method, others are found. sudoedit only leaves 1 thing - the copy and file permission+ownership - as risks, not hundreds of ways that any arbitrary editor can be abused. Sudoers can be limited against running editors, for example, have been known to just copy the editor to a different name+location, then use sudo with that alternate. Or change their PATH. Or ... 50+ other methods.

    As stated above, it is best just to get into the habit of using sudoedit. Plus we get to choose any EDITOR we like and don't have any risks with the editor creating config files (and directories) as root in the wrong places.

  9. #39
    Join Date
    Feb 2007
    Location
    Romania
    Beans
    Hidden!

    Re: What is the each command's different merit between su and sudo?

    Quote Originally Posted by Captain Cookie View Post
    I heard Ubuntu is different to handling the root account from other distributions.


    Others allow users freely to log in as the root, don't they?
    Not sure what do you mean by logging in, but as far as know, by default, non of the mainstream display(/login) managers will allow you to start a GUI session as root (by default).

  10. #40
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,002
    Distro
    Xubuntu 20.04 Focal Fossa

    Re: What is the each command's different merit between su and sudo?

    I don't think others allow login to a graphical desktop as root. But lots of other distros to allow login as root either on a text console or on a remote ssh session.
    On Ubuntu, it is the fact that root's password is disabled by default that prevents login as root. It is of course possible to set a valid password, or configure password-less login to root using ssh keys.
    And there are lots of system processes running as root even though user login as root is not possible because the password is disabled.
    Last edited by The Cog; 1 Week Ago at 10:57 PM.

Page 4 of 4 FirstFirst ... 234

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •