I think `su` is pretty good as-is, but sudo has a bit of feature creep. For example, I don't think these belong in sudo (taken from Linux):
-e: edit something
-l: list allowed/forbidden commands
-p: change prompt
Ideally, sudo would just run as root and su would just switch users. Then instead of:
sudo -u some_user cmd
You'd do this instead:
sudo su -c "cmd" some_user
Su only does one thing (switch users, -c for one-off cmd) and sudo only does one thing (change to root). Currently, both "sudo -u some_user cmd" and "sudo su -c some_user cmd" accomplish basically the same thing, which is a sign of feature creep.
"-e: edit something" (or 'sudoedit') is actually very useful. It makes a temporary copy of th file that is editable by your user, allowing the editor to be run without elevated privileges. After the editor quits, it moves the edited file back over the original.
This could be a simple wrapper script around sudo, but that could require entering the password twice.
sudo has security features. It's possible to restrict the set of commands that can be executed, for example. What would be a Unixy way to do that? How can you decouple the thing that gives you root access from the thing that restricts what you can do with it?
http://harmful.cat-v.org/cat-v/
I think `su` is pretty good as-is, but sudo has a bit of feature creep. For example, I don't think these belong in sudo (taken from Linux):
-e: edit something
-l: list allowed/forbidden commands
-p: change prompt
Ideally, sudo would just run as root and su would just switch users. Then instead of:
sudo -u some_user cmd
You'd do this instead:
sudo su -c "cmd" some_user
Su only does one thing (switch users, -c for one-off cmd) and sudo only does one thing (change to root). Currently, both "sudo -u some_user cmd" and "sudo su -c some_user cmd" accomplish basically the same thing, which is a sign of feature creep.