Security Theater - sudo vs root

Actually the git clone was performed in /usr/src That directory does not have write permissions for a standard user, I consider that a good thing, so to write to that directory (or make changes with sed) you have to use sudo.

I suppose you could just do the git clone to your home directory, that would actually work just fine and sudo would no longer be needed for that part, but I chose to use the /usr/src directory, and do not see a problem with doing that.

As a linux user I am having a hard time understanding your dislike for sudo, logging into or switching to root user means that you are permanently having root privileges, which is what I see suggested in many older freepbx guides. Sudo on the other hand provides temporary root privileges which is a good thing as opposed to permanent root privileges.

My typical use of sudo is sudo su - which switches to root and loads root userā€™s login environment.

If you keep sudoā€™ing individual commands you are not preserving environment/state between them.

edit: I just learned that sudo -i is the same thing as sudo su - which I have been doing for years. That said, Iā€™m sure the muscle memory will not easily allow me to change my ways, but you can do either one.

Because the FreePBX install does technical stuff that is not EXACTLY duplicated by using sudo. You may think that this is exactly the same:

sudo foo
sudo blah
sudo wibble

and

sudo -i
foo
blah
wibble

But itā€™s not. And the reason I keep saying ā€˜donā€™t use sudoā€™ is BECAUSE of that. Switch to root once, then do everything, then drop root.

2 Likes

Itā€™s NOT permanent, you want your user privileges back, just type

exit

if you are confused as to who you are, type

whoami

at any time, look at your prompt you will quickly notice the difference between the root prompt and the user prompt, you will see whatever ${PS1} in the current environment produces. (echo $PS1)

Also note the differenece between

sudo -s

and

sudo -i

(man sudo)

Thanks for the explanation. sudo su, or sudo -i could be used then. As I said in my other comment, using sudo su for the installation would be fine. I just dont like the idea of the root account being used directly. If somebody were to gain access to the machine as root user, then can install or do anything, such as setting up crypto mining on your machine, or using it as part of a botnet, etc.

@dicko this article sums up what I am saying about using root: https://www.howtogeek.com/124950/htg-explains-why-you-shouldnt-log-into-your-linux-system-as-root/

Consider me a grandma who has sucked more than a few eggs :slight_smile:

That is for normal use, if you clone into your home directory, you can ./configure and build asterisk but not install it as user, the prerequisites will also need root privileges , and as you been told many times, FreePBX install should be run in the root environment and not the user environment with elevated privileges.

No you shouldnā€™t run vlc as root, nor pulseaudio, nor chromium nor any number of other binaries, linux assumes a multi-user environment where each process has the minimum of what it needs, and wont conflict with two accounts running the same binaries, that is run-time stuff, here you should be the ā€˜big boyā€™ that wonā€™t screw things up.

When all is said and done, you will see that FreePBX and Apache et al are running safely as Asterisk, BUT to achieve that you just need to be root or suffer all the slings and arrows you have so far had to catch.

1 Like

You do the same thing on a Mac or Windows when you install a program and have to provide the administrators password. Itā€™s the same thing for the install of freepbx

1 Like

I do not use Windows. Technically I do, but ONLY for a few games. 99% of the time I am on Linux. Just because Windows does something a particular way does not mean its the correct way.

I have never owned a Mac, but I know OSX is unix based, you mentioned issuing sudo occasionally on your mac so I would assume you are not logged in as user root by default.

I also know some distributions do not disable the root account by default like Ubuntu does, but I believe having the root account disabled is a good thing, and it seems so do the developers of Ubuntu because it has been that way for as long as I can remember.

I do not mean to start a debate on security, I am certainly not an expert in the matter, but sometimes things are obvious or not difficult to educate ones self on. I am not about to tell somebody else how to run their business or computer. I merely meant to express my opinion on the matter and its ok if others donā€™t agree with me.

My point is you just need it for installation. You donā€™t ever need it again after that.

1 Like

Understood.

Thatā€™s not entirely true any moreā€¦ not with Windows 10. As a network administrator, Iā€™ve found that even the local administrator doesnā€™t have permissions to everything; such as some folders and registry keys. Those permissions are held by the local SYSTEM account.

ā€¦ and that, my friends, is a whole new can of worms; running something as the system account instead of the local administrator.

1 Like

To conclude this discussion, however, it is ā€œbest practiceā€ to log on as a local user, and then use sudo to run elevated commands. That being said, however, if I have multiple steps to perform, I will usually su to get a root shell prompt, do my work, then exit.

For example, installing FreePBX needs to be done as root; and then you have to configure a bunch of settings, set some permissions, maybe make some symlinks.

Yes, you could do all that with sudu, or if you add yourself to the asterisk group, you could potentially do it with your normal account. For me, I use su to do all of thatā€¦ if Iā€™m just making one change, one command, Iā€™ll use sudo.

Iā€™d like to temper this with this statement thoughā€¦ Iā€™ve been running some form of *nix since 1986ā€¦ broken more than my share of systems, learned what not to do. :smiley:

I disagree a little bit:

If I need a ā€œrootā€ session, I always log in as a ā€œwheel groupā€ user and use ā€œsuā€ to change to root. Most of the systems I run have multiple people that can perform admin actions. Using ā€œsuā€ drops a note into the log files so I can tell who changed to root and did whatever they did. I resist using ā€œsudoā€ - itā€™s a hack and easy to misconfigure to allow people to get elevated access without a lot of oversight.

Of course, your mileage may vary and local rules make sense for local systems.

1 Like

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.