Home » Which is the safest way to get root privileges: sudo, su or login?

Which is the safest way to get root privileges: sudo, su or login?


Security is always about making trade-offs. Just like the proverbial server which is in a safe, unplugged, at the bottom of the ocean, root would be most secure if there were no way to access it at all.

LD_PRELOAD and PATH attacks like those you describe assume that there is an attacker with access to your account already, or at least to your dotfiles. Sudo doesn’t protect against that very well at all — if they have your password, after all, no need to try tricking you for later… they can just use sudo now.

It’s important to consider what Sudo was designed for originally: delegation of specific commands (like those to manage printers) to “sub-administrators” (perhaps grad students in a lab) without giving away root completely. Using sudo to do everything is the most common use I see now, but it’s not necessarily the problem the program was meant to solve (hence the ridiculously complicated config file syntax).

But, sudo-for-unrestricted-root does address another security problem: manageability of root passwords. At many organizations, these tend to be passed around like candy, written on whiteboards, and left the same forever. That leaves a big vulnerability, since revoking or changing access becomes a big production number. Even keeping track of what machine has what password is a challenge — let alone tracking who knows which one.

Remember that most “cyber-crime” comes from within. With the root password situation described, it’s hard to track down who did what — something sudo with remote logging deals with pretty well.

On your home system, I think it’s really more a matter of the convenience of not having to remember two passwords. It’s probable that many people were simply setting them to be the same — or worse, setting them to be the same initially and then letting them get out of sync, leaving the root password to rot.

Using passwords at all for SSH is dangerous, since password-sniffing trojaned ssh daemons are put into place in something like 90% of the real-world system compromises I’ve seen. It’s much better to use SSH keys, and this can be a workable system for remote root access as well.

But the problem there is now you’ve moved from password management to key management, and ssh keys aren’t really very manageable. There’s no way of restricting copies, and if someone does make a copy, they have all the attempts they want to brute-force the passphrase. You can make policy saying that keys must be stored on removable devices and only mounted when needed, but there’s no way of enforcing that — and now you’ve introduced the possibility of a removable device getting lost or stolen.

The highest security is going to come through one-time keys or time/counter-based cryptographic tokens. These can be done in software, but tamper-resistant hardware is even better. In the open source world, there’s WiKiD, YubiKey, or LinOTP, and of course there’s also the proprietary heavyweight RSA SecurID. If you’re in a medium-to-large organization, or even a security-conscious small one, I highly recommend looking into one of these approaches for administrative access.

It’s probably overkill for home, though, where you don’t really have the management hassles — as long as you follow sensible security practices.

This is a very complex question. mattdm has already covered many points.

Between su and sudo, when you consider a single user, su is a little more secure in that an attacker who has found your password can’t gain root privileges immediately. But all it takes is for the attacker to find a local root hole (relatively uncommon) or install a trojan and wait for you to run su.

Sudo has advantages even over a console login when there are multiple users. For example, if a system is configured with remote tamper-proof logs, you can always find out who last ran sudo (or whose account was compromised), but you don’t know who typed the root password on the console.

I suspect Ubuntu’s decision was partly in the interest of simplicity (only one password to remember) and partly in the interest of security and ease of credential distribution on shared machines (business or family).

Linux doesn’t have a secure attention key or other secure user interface for authentication. As far as I know even OpenBSD doesn’t have any. If you’re that concerned about root access, you could disable root access from a running system altogether: if you want to be root, you would need to type something at the bootloader prompt. This is obviously not suitable for all use cases. (*BSD’s securelevel works like this: at a high securelevel, there are things you can’t do without rebooting, such as lowering the securelevel or accessing mounted raw devices directly.)

Restricting the ways one can become root is not always a gain for security. Remember the third member of the security triad: confidentiality, integrity, availability. Locking yourself out of your system can prevent you from responding to an incident.

The designers of the secured OpenWall GNU/*/Linux distro have also expressed critical opinions on su (for becoming root) and sudo. You might be interested in reading this thread:

…unfortunately both su and sudo are subtly but fundamentally

Apart from discussing the flaws of su and other things, Solar Designer also targets one specific reason to use su:

Yes, it used to be common sysadmin
wisdom to “su root” rather than login
as root. Those few who, when asked,
could actually come up with a valid
reason for this preference would refer
to the better accountability achieved
with this approach. Yes, this really
is a good reason in favor of this
approach. But it’s also the only one. …(read more)

In their distro, they have “completely got rid of SUID root programs in the default install” (i.e., including su; and they do not use capabilities for this):

For servers, I think people need to
reconsider and, in most cases,
disallow invocation of su and sudo by
the users. There’s no added security
from the old “login as non-root, then
su or sudo to root” sysadmin “wisdom”,
as compared to logging in as non-root
and as root directly (two separate
sessions). On the contrary, the
latter approach is the only correct
one, from a security standpoint:


(For accountability of multiple
sysadmins, the system needs to support
having multiple root-privileged
accounts, like Owl does.)

(For desktops with X, this gets

You also absolutely have to deal with…

BTW, they were to replace sulogin with msulogin to allow the setup with multiple root accounts: msulogin allows one to type in the user name also when going into the single user mode (and preserve the “accountability”) (this info comes from this discussion in Russian).

Related Solutions

Joining bash arguments into single string with spaces

[*] I believe that this does what you want. It will put all the arguments in one string, separated by spaces, with single quotes around all: str="'$*'" $* produces all the scripts arguments separated by the first character of $IFS which, by default, is a space....

AddTransient, AddScoped and AddSingleton Services Differences

TL;DR Transient objects are always different; a new instance is provided to every controller and every service. Scoped objects are the same within a request, but different across different requests. Singleton objects are the same for every object and every...

How to download package not install it with apt-get command?

Use --download-only: sudo apt-get install --download-only pppoe This will download pppoe and any dependencies you need, and place them in /var/cache/apt/archives. That way a subsequent apt-get install pppoe will be able to complete without any extra downloads....

What defines the maximum size for a command single argument?

Answers Definitely not a bug. The parameter which defines the maximum size for one argument is MAX_ARG_STRLEN. There is no documentation for this parameter other than the comments in binfmts.h: /* * These are the maximum length and maximum number of strings...

Bulk rename, change prefix

I'd say the simplest it to just use the rename command which is common on many Linux distributions. There are two common versions of this command so check its man page to find which one you have: ## rename from Perl (common in Debian systems -- Ubuntu, Mint,...

Output from ls has newlines but displays on a single line. Why?

When you pipe the output, ls acts differently. This fact is hidden away in the info documentation: If standard output is a terminal, the output is in columns (sorted vertically) and control characters are output as question marks; otherwise, the output is...

mv: Move file only if destination does not exist

mv -vn file1 file2. This command will do what you want. You can skip -v if you want. -v makes it verbose - mv will tell you that it moved file if it moves it(useful, since there is possibility that file will not be moved) -n moves only if file2 does not exist....

Is it possible to store and query JSON in SQLite?

SQLite 3.9 introduced a new extension (JSON1) that allows you to easily work with JSON data . Also, it introduced support for indexes on expressions, which (in my understanding) should allow you to define indexes on your JSON data as well. PostgreSQL has some...

Combining tail && journalctl

You could use: journalctl -u service-name -f -f, --follow Show only the most recent journal entries, and continuously print new entries as they are appended to the journal. Here I've added "service-name" to distinguish this answer from others; you substitute...

how can shellshock be exploited over SSH?

One example where this can be exploited is on servers with an authorized_keys forced command. When adding an entry to ~/.ssh/authorized_keys, you can prefix the line with command="foo" to force foo to be run any time that ssh public key is used. With this...

Why doesn’t the tilde (~) expand inside double quotes?

The reason, because inside double quotes, tilde ~ has no special meaning, it's treated as literal. POSIX defines Double-Quotes as: Enclosing characters in double-quotes ( "" ) shall preserve the literal value of all characters within the double-quotes, with the...

What is GNU Info for?

GNU Info was designed to offer documentation that was comprehensive, hyperlinked, and possible to output to multiple formats. Man pages were available, and they were great at providing printed output. However, they were designed such that each man page had a...

Set systemd service to execute after fstab mount

a CIFS network location is mounted via /etc/fstab to /mnt/ on boot-up. No, it is not. Get this right, and the rest falls into place naturally. The mount is handled by a (generated) systemd mount unit that will be named something like mnt-wibble.mount. You can...

Merge two video clips into one, placing them next to each other

To be honest, using the accepted answer resulted in a lot of dropped frames for me. However, using the hstack filter_complex produced perfectly fluid output: ffmpeg -i left.mp4 -i right.mp4 -filter_complex hstack output.mp4 ffmpeg -i input1.mp4 -i input2.mp4...

How portable are /dev/stdin, /dev/stdout and /dev/stderr?

It's been available on Linux back into its prehistory. It is not POSIX, although many actual shells (including AT&T ksh and bash) will simulate it if it's not present in the OS; note that this simulation only works at the shell level (i.e. redirection or...

How can I increase the number of inodes in an ext4 filesystem?

It seems that you have a lot more files than normal expectation. I don't know whether there is a solution to change the inode table size dynamically. I'm afraid that you need to back-up your data, and create new filesystem, and restore your data. To create new...

Why doesn’t cp have a progress bar like wget?

The tradition in unix tools is to display messages only if something goes wrong. I think this is both for design and practical reasons. The design is intended to make it obvious when something goes wrong: you get an error message, and it's not drowned in...