Page 1 of 1

su vs sudo

Posted: Sat Jun 24, 2023 7:44 am
by scsijon

The sudo and su commands belong to the group of commands every Linux user comes across. Because they are similar in syntax and have overlapping functions, many new users are unsure when to use one over the other. Both su and sudo elevate privileges assigned to the current user, but not in the same way.

The main difference between the two is that su requires the password of the target account, while sudo requires the password of the current user. It is generally much safer to use sudo since it doesn’t include exchanging sensitive information or settings.
Additionally, it is advisable to stick to sudo when performing tasks that require root privileges.
By doing so, the current user is only granted privileged for the specified command.

On the other hand, su switches to the root user completely, exposing the entire system to potential accidental modification.

Therefore you need to seriously consider which you need to use for what.


Re: su vs sudo

Posted: Sat Jun 24, 2023 12:27 pm
by BarryK

scsijon is replying to this blog post:

https://bkhome.org/news/202306/goodbye- ... ckage.html

I don't see that the supposed advantages of sudo apply in the case of Easy.

Firstly, Easy is a single-user system, and the human user is already running as root.
Entering a non-root password to run as root does not apply to EasyOS.

Secondly, that single human user will know the root password, and is entitled to unfettered access to everything.

Where su will be used is for apps that run non-root, such as the web browsers, Hexchat and all the appimages and flatpaks. If one of those apps tries to run a script that requires root privileges, they will be asked for the root password.
If somehow there was an invasion into that app, via the network or a dodgy app, the invader would have to know the root password to run the elevated utilities.


Re: su vs sudo

Posted: Sun Jun 25, 2023 6:03 am
by scsijon

I wasn't knocking what you were proposing, just initially making sure we are on the same page.

However since first reading it and further thinking and a little bit of further research about it, maybe would you / could you consider this;

Using SU as root or not gives you full root privledges, including change of any setting anywhere, including permissions and even logins and passwords could be altered / added / reconfigured by faulty or downloaded scripts (whether planned or not). SU could allow remote unauthorised access if someone wanted to be nasty and destroy, alter, or copy your system out remotely for any use. While sudo even as a root user gives access as root but not, as I understand it, to change settings and permissions etc.

Maybe i'm getting a little over-protective nowadays, but what i'm seeing out there is starting to worry me, even here in the relatively safe country of Australia.


Re: su vs sudo

Posted: Sun Jun 25, 2023 6:18 am
by dimkr
scsijon wrote: Sun Jun 25, 2023 6:03 am

Using SU as root or not gives you full root privledges

So does sudo, unless you restrict the user to specific commands, and the allowed commands cannot be manipulated to edit arbitrary files, etc'.

A process you run as root via either su or sudo has the same permissions and can do the same damage.

However, sudo is much more complicated than su, because it parses more configuration files and relies on more input, like environment variables. Complexity leads to a long list of security vulnerabilities:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sudo

These vulnerabilities tend to be severe, because sudo is SUID root, so every user that runs sudo runs sudo's own code as root (even if sudo eventually denies this attempt to run a given command-line as root). If sudo is tricked to run an arbitrary command-line, the vulnerability is code execution and privilege escalation, not just the former.

https://cve.mitre.org/cgi-bin/cvename.c ... 2023-22809 is probably the most famous one from the last year, and this kind of vulnerabilities is the reason why I ensure none of my systems (including those that run Puppy or a Puppy-like distro) have sudo installed. If you don't need sudo, it gives you nothing but risk.