Dr Croubie
Posts: 2
Joined: Tue Sep 29, 2015 11:21 pm

su, not sudo?

Tue Sep 29, 2015 11:42 pm

Hi all,
So I've been a linux user for maybe 15 years, redhat7, mandrake, suse 9 then 10, but I've been on Gentoo for the best part of 10 years now, until yesterday when I got my pi2b, and this whole 'sudo' thing is already throwing security alarm bells (not to mention being really annoying).

So on Gentoo (and even back when I was using windows2000), I have two accounts: my everyday 'user' account who can't do squat except use the thing, and I have my 'root' account with full access to everything. When I want to change settings, add/remove programs, edit config files, etc, I login as root (usually using 'su'), when I want to browse the net or whatever, I login as user.

But on my pi, there's the default 'user' (called 'pi'), who can do anything he wants if it's prefixed with 'sudo <command>'. So far that seems:
a) annoying. I can't just login as root and do what I want and logout, I have to type every command, when it fails I have to go back and type 'sudo' at the beginning. I've had to type it to install gpm and vim, and even to shut down, and I've had to type sudo each time. With one root login I could have done all that and save having to type sudo every.single.damn.time.
b) extremely insecure. my user (who is logged in more often and thus has more chance of being hacked etc) can do everything they want just by typing 'sudo' first? Whoever thought that giving users access to bork stuff with one command was a good idea?

So to fix it, I just want to get a regular 'root' user. I know I can just "adduser root" (or, sorry, "sudo adduser root"), and then "chown root:root / -R" (oops, I mean "sudo chown root:root / -R").

But is it as simple as that? Will that bork anything, like if I "chown /proc" will that kill anything? So should I do it directory-by-directory, like "chown /etc" and "chown /usr" etc. Are there any other directories that I shouldn't chown, like /sys or something else?

I know Gentoo has other certain user/groups like the 'portage' user (mostly in /usr/portage), and if I chowned them to 'root' they'd probably stop working. Raspbian obviously doesn't have the portage system, but is there anything like it that should Not be chowned to 'root', like the equivalent apt-get?

User avatar
leol
Posts: 147
Joined: Fri Jan 13, 2012 4:27 pm
Location: Haute-Vienne, France

Re: su, not sudo?

Wed Sep 30, 2015 10:15 am

log in as user pi as normal
type in "sudo -i"
will take you to a root prompt "#"
create a root password using "passwd"

You now can log in as root.

Leo

Dalton63841
Posts: 32
Joined: Fri Oct 11, 2013 10:42 pm

Re: su, not sudo?

Wed Sep 30, 2015 11:10 am

Editing the sudoers file will control what can and cannot be done with sudo. You can also edit it to allow certain commands without needing sudo, such as shutdown and reboot. By default yea, it's a bit insecure because they assume the only non-root user will be admin and knows what they do and don't want. It's up to the user to tighten it down.

Also, instead of issuing sudo before every command, you can start with the command "sudo su" to give you a superuser shell.

Overall it seems like the problem is more of not being used to how Debian based distros operate in comparison to others.

ghans
Posts: 7868
Joined: Mon Dec 12, 2011 8:30 pm
Location: Germany

Re: su, not sudo?

Wed Sep 30, 2015 11:36 am

The sudo configuration of the official "Raspbian" image has been a deliberate (somewhat controversial ? :lol: ) decision of the foundation.

Debian does not ship with sudo by default , and therefore requests setup of a "proper" root password on first install.

ghans
• Don't like the board ? Missing features ? Change to the prosilver theme ! You can find it in your settings.
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org

User avatar
jojopi
Posts: 3078
Joined: Tue Oct 11, 2011 8:38 pm

Re: su, not sudo?

Wed Sep 30, 2015 12:19 pm

Dr Croubie wrote:When I want to change settings, add/remove programs, edit config files, etc, I login as root (usually using 'su')
That is really no more secure than using sudo, with or without a password.

If you leave your terminal unattended, or run code from untrusted sources, your user account can be compromised. Next time you run su, the attacker can sniff the password, or append his own root commands to the ones you issue.

Since you use su on other platforms, you really ought to have known how to change the root password. And even without checking the documentation, it should be pretty obvious that "sudo bash" will start a root shell, so you do not have to prepend it to every command if you do not want.

The way to think of it is not that the Foundation are forcing you to use sudo, but rather that their images "only" have one preset password, whereas to allow su out of the box they would need two.

Do not chown anything in /etc, /usr, /proc, /sys, and especially not /! The default permissions are correct and you have not a clue what you are doing.

scotty101
Posts: 3649
Joined: Fri Jun 08, 2012 6:03 pm

Re: su, not sudo?

Wed Sep 30, 2015 2:34 pm

If you type a command that should have had 'sudo' at the start, you can just type 'sudo !!' on the next line which will rerun the previous command with sudo.
Electronic and Computer Engineer
Pi Interests: Home Automation, IOT, Python and Tkinter

Return to “Raspbian”