Perplexed about Ubuntu’s sudoers configuration

Recently I’ve been administering my first Ubuntu machine and I already feel a bit perplexed about its security setup.

The issue is that by default, the root account password is locked in Ubuntu and you are encouraged never to use root, but rely on sudoers for system administration.

I’ve read the rationale on Ubuntu’s wiki and I agree on some points, but their mindset is totally biased towards a desktop setup.

Let’s consider these points from their site:

  • Benefits of using sudo: Users don’t have to remember an extra password.

    This is cool for Average Joe, but don’t tell me that it’s an advantage on a serious server: it’s actually a downside, see the next point.

  • Every cracker trying to brute-force their way into your box will know it has an account named root and will try that first. What they don’t know is what the usernames of your other users are. Since the root account password is locked, this attack becomes essentially meaningless, since there is no password to crack or guess in the first place.

    Sure, the attack on root becomes useless, too bad that SSH brute-force attacks usually try lots of different usernames. If the manage to break a single account of a sudoer, they automatically have control of your machine. If you had to remember a different password to su your way, it would make their life a bit harder.

  • Allows easy transfer for admin rights, in a short term or long term period, by adding and removing users from groups, while not compromising the root account.

    err… what does “not compromising the root account” actually mean? If I get admin rights, I can do whatever I want, including compromising any account. Unless I get authorisation just to run a limited set of commands through sudo, but that’s not the point of this post.

  • The root account password does not need to be shared with everybody who needs to perform some type of administrative task(s) on the system.

    ok, but what problem does it solve? (apart from avoiding people shouting the root password when they shouldn’t :-))

    If I want to remove a person from the admin group, I need to trust her not to have planted any malicious program (rootkits, backdoors…) or rebuild the system if I’m paranoid, if I really want to be on the safe and paranoid side.

    IMHO, it’s just the same as changing the root password when one is gone, or even better, periodically.

I’m not convinced. I still prefer the common su approach typical of almost all the other distributions…

Leave a Reply

Your email address will not be published. Required fields are marked *