Why 'sudo' when you can just 'su'?

No matter if you sudo or su, at least we can all agree that this is like a million times better than "Are you sure you want to run this as admin? [Yes] [No]"

Finkelfunk

Another advantage of using sudo accounts, is accountability in seeing in the logs who did what on the system. If all actions are done by root, no matter who logged in. You have no accountability.

kjakobsen

Little nit pick: When using su, just do exit to go back to your previous user instead of running the command again, or else you will get nested shells

kreuner

The 'enhanced' security that `sudo` might provide over `su` is a fallacy in my opinion. You can still login as root with `sudo -i` or `sudo -s` depending on what you want to do. You can neutralize your system with a single command or a bunch of them. It's brute power regardless of how it was attained.

It's mainly a matter of what and how often you perform your system maintenance. Sometimes you might want to do a bunch of tasks and it's more practical to switch user as `root` and perform them.

Using `su` is not old school. It's still valid and alive today. With `su` you *need* the `root` user password. With `sudo` you use your user's password and hence you won't compromise the `root` account and you can also limit the commands a `sudoer` can execute.

Ultimately it's a matter of taste, workflow and security policies.

OctaviusPelagius

As always writing a comment to support the channel

burning_KFC

My first distro was Slackware. I remember using root user account a lot, and later using su and much later sudo.

christer

The sudoers file is a mighty tool.
You could restrict users to specific programms as root etc.
But it's best suited for server usage.

But if you're using just a single desktop system, use doas.

Regarding logging in as another user (either fully, or just in a terminal session) is that yourself can be a danger. Say, you do take a break and come back some time later and forget that you're logged in as root (I know, in terminals you have a different prompt, but not everybody is used to that).

And if you forget that you're logged as root, you might do things that you don't want to do. Commands that you run and that create files or folders, they will be owned by root. And you might find out later that your user doesn't have access to them or that some daemon cannot interact with said files anymore or things of that nature.

Winnetou

sudo is a security nightmare. There are tons of vulnerabilities connected to sudo and administering sudoers files for many users on many machines is almost impossible. So while it might make sense for home desktop users who don't know what they are doing, it doesn't for bigger companies with large number of servers and users. Also if a user have unlimited sudo access then the attacker only need to know his password to get complete control of the system instead of the root password which is usually much harder to get. The SSH argument is just showing your lack of knowledge. No one should use password authentication on SSH especially on machines connected to internet and you can disable root access on SSH level as well so no need to disable root on the system level. I work as system engineer for large companies for more than 20 years and there are many reasons why we don't use sudo.

BlkRider

If some bad agent gets physical access to your computer, surely you got bigger problems than file permissions

That said sudo is a great tool to protect the user from himself. Just the extra confirmation prompt alone already saved me from doing some undesirable actions

excidium_

I remember the su command from my Red Hat Linux days. Absolutely correct, if you logged in as root user, basically anyone with access to the terminal is logged in as the root user.

keylowmike

A terminal is a basic thing that is almost always open on my computers, often with multiple tabs with SSH sessions and what not. You will also most of the time, find one or two 'sudo -s' tabs. If I need to do more than a single command as root, I always launch a root session. The advantage of sudo is not that su allows someone to sit down at your computer. The worst damage to my system would be to delete my personal files, no root required. If they only break the system, I can simply restore it. Also, I know who is in my house at a given time and I switch off or lock my computers when not using them.

The advantage of sudo over su is the fact that you can disable root login. Anyone requiring root will have to go through sudo initially to do so. On a personal system with a single user, I don't think this makes any difference at all. If you have a user password, that password can easily be used twice using sudo. But on a corporate network this will make a huge difference. Each user will have there own separate password, logs can be traced much easier, temperately access can be granted without exposing some shared super secret password etc.

danielberglv

Another very thoughtful video. Thanks DT!

KevinBReynolds

I'm using Doas instead of Sudo, I regret nothing. Also having to set up the config yourself is a level of transparency I can subscribe to. Literally one line and less than fifteen characters across is enough to keep you from borking your single-user setup.

phonewithoutquestion

I wanted to note something about the su method. Both here and in another video of yours I remember you saying something along the lines of "su to the root user and then su back to your regular user". That is even worse of a security risk! Su opens a new shell instance with the user you specify, so you end up with nested shells, meaning that after you su back to the regular user, a mailcious attacker could just type "exit" to quit the regular shell and get back to the parent root shell!

Example:
$ echo $UID
1000 (regular user)
$ su root
Password: ...
# echo $UID
0 (root user)
# su user
$ echo $UID
1000 (regular user)
$ exit
# echo $UID
0 (back to root user!)
# exit
$ echo $UID
1000 (back to regular user)
$ exit
shell exits

Instead of doing su user, simply exit the root shell.
$ echo $UID
1000 (regular user)
$ su root
Password: ...
# echo $UID
0 (root user)
# exit
$ echo $UID
1000 (back to regular user)
$ exit
shell exits

WillyJL

You can also use sudo to allow certain commands to be run as a different user. For a single user system it may not be the most important use, but for a multi-user system it can be handy.

mikechappell

Having been a Unix admin, i did indeed wonder. Thanks!

BWGPEI

At a previous job, our Linux setup was a little weird. We had a service account on the machine that 'owned' the webserver or DB server, etc, application, but we had to log in with our own user account.

By adding the user accounts to the sudoers file and only allowing certain commands -- sudo su [account] and sudo su - [account] -- we could share the service account without having either the root password nor the service account password.

brmolnar

Good to know. Thank you. I was curious about this but never looked into it. Makes good sense.

nemonada

Since I switched to Linux, Phil Collins' Sussudio never sounds the same anymore 🤣😭

ArniesTech