Hacker News new | past | comments | ask | show | jobs | submit login

Ironically, "sudo su" works really well if you do need to get to root. But yeah, "sudo" is a much safer practice.



If you have a saddist sysadmin he wouldn't allow you to use su or any other dangerous command that are not approved. Sudo is a rather impressive tool. If you need to give someone access to root for one or two commands, it can do that. It's logging ability is lost when you do sudo su. You should avoid it as much as possible on servers with many admins. That log trail can be a real butt saver.


I sudo su very frequently because I'm almost always executing more than one command as root. Standard warnings apply, but my approach for being sure that I am who I think I am is to put my username in my prompt and color code it so that when I'm root the username turns red.

I also color code the hostname so that I can tell at a glance what machine I'm on.

For example,

    export PS1='[\[\033[1;34m\]\u\[\033[0m\]@\[\033[1;30m\]\h\[\033[0m\] $newPWD]\$ '
where $newPWD is a friendly, shortened $PWD.

On that same machine, the root prompt is identical except that the color is set to 1;31m instead of 1;34m, which makes it bright red.


No need for 'su' to get a root shell. You can use 'sudo -s' for that, and you still set a root-specific PS1 in the bashrc file.


This doesn't always run the same rc scripts (depending on the shell and local convention). I'm used to typing sudo su - (with optional username) to get the environment as close as possible to what it would be if I logged in as the target user.


sudo -s launches a shell in non interactive mode (which goes through .bashrc or .zshenv and .zshrc depending on your shell) whereas sudo -i emulates a usrer login which puts the shell in interactive mode (.profile, .zshenv)

Also -i does more stuff to simulate a login like setting $HOME and cd'ing there.

Usually you might want to use sudo -i or 'su -' which both simulate a login. But sudo su - really isn't needed any more since -i has been added


Old habits die hard.


  alias ssu='sudo /bin/bash -login'


I have generally found the difference between a $ and # prompt sufficient enough. I guess colours can't hurt though.


"sudo -i", please!


sudo vi^Mpassword^M:shell

Years ago a friend of mine asked my help in securing a Unix system with sudo. I bascially told him it was nearly impossible because there were (and still are) too many ways to escape back to a root shell with sudo, so, in my humble opinion, gives a false sense of security.


I don't think the point is "more secure" root access. Rather, sudo is just a convenient way to invoke superuser privileges only when necessary.

If you need a longer session with uid 0, use sudo -i. Having a separate root login is pretty much pointless. I doubt having separate passwords helps security either, since local privilege escalation vulnerabilities are common anyway.

I've used sudo to restrict root access to specific command line invocations for certain users. With due care (ie. no access to software with shell escapes) it is secure.

In any case, distributions seem to be moving towards eliminating the superuser altogether in common use cases. I think advocating sudo was just the beginning.


But as far as letting people run a root shell goes, sudo is a handy way to do it.


start by disallowing vi through sudo and tell people to use sudo -e instead


sudo $YOUR_SHELL_NAME_HERE achieves the same purpose.


Or you can just use "sudo -i"


`sudo -s` works nicely too.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: