Can't su anymore

Dan Shoop shoop at iwiring.net
Mon Feb 25 21:23:38 PST 2008 

On Feb 25, 2008, at 6:51 PM, LuKreme wrote:

> On 25-Feb-2008, at 14:08, Don Montalvo wrote:
>> "Jared Earle" <jearle at gmail.com> wrote:
>>> On Mon, Feb 25, 2008 at 5:47 PM, Philip Mötteli
>>> <Philip.Moetteli at tele2.ch> wrote:
>>>> So, being in the root console, I can 'su' to root – though the  
>>>> prompt
>>>> changes.
>>>
>>> Does "sudo su -" work?
>>
>> I use "sudo -s"
>
>
> But that is not the same thing as sudo su -


Not always, but normally so, yes. If root had some shell different  
than the invoker's then it could be different.

On Feb 25, 2008, at 8:34 PM, John Musbach wrote:
> Also, for security reasons it is not
> recommended that you have the root account enabled. Instead, use "sudo
> command" to temporarily provide root privileges when needed for
> "command" and if absolutely necessary (use sparingly!) use "sudo -s"
> to get a root prompt. Additionally, it is preferred for security
> reasons that day to day operations are run under a user account with
> normal privileges and that a secondary administrative account be
> created so that it can be su'd to when the need to use sudo (or do
> other administrative tasks such as install new programs) arises.

YMMV. These "recommendations" and "preferences" are just the way some  
view this "concern". "Day to day" non-root operations, like reading  
email and surfing porn, are not generally done from the root account  
anyway,leaving the account used for, well the same exact tasks you'd  
have to sudo about with. So this buys you little overall. However it  
does make certain types who enjoy security theater happier. I reality  
logging into th root account (perhaps via ssh from a specifically  
permitted machine/network using keys) and performing tasks x, y & z  
adds no real security than sudo x, sudo y sudo z.

...and then there's the issue that sudo might not give you the same  
exact environment that the root user has, which makes running (or  
testing) certain processes potentially problematic.

Meanwhile the root account should be enabled in many specific cases  
for OS X [Server], is enabled by default, and having it enabled,  
especially using keys, allows you to connect to the machine in  
circumstances where Password Services get fubar. So there are many  
rationales to support enabling the root account.

So basically there's argument to be had either way.

Personally, as an old curmudgeon that has been using the root account  
longer than sudo's juvenile existence I see no reason to change *my*  
best practices.

Just my $0.02

-dhan

------------------------------------------------------------------------
Dan Shoop
Computer Scientist
iWiring / U.S. Technical Services

shoop at iwiring.net
AOL IM .................... iWiring
Nextel .................... 1-714-363-1174
Operations TOC (24/7) ..... 1-866-901-USTS
USTS Offices .............. 1-714-374-6300

For immediate response for urgent matters please speak to the Duty  
Officer
at the USTS Tactical Operations Center (above) who can reach me by  
radio.

More information about the MacOSX-admin mailing list