Rethinking su vs sudo

If you’ve been hanging around Both.org for a while, you’ve undoubtedly noticed that I much prefer using the su – command to obtain elevated privileges on my Linux systems rather than the sudo command. I’ve written more than one article about appropriate uses for su and sudo. But I like to explore new ways of doing things. So, for at least 3 reasons — one of which is that I’m an unfit SysAdmin for my own network and the computer protection services (CPS) might come to remove them from my home and place them somewhere safer — I decided to stop using the su command and force myself to use sudo.

Why I did it

The primary reason I decided to give sudo a chance is that I haven’t been changing passwords very frequently for my internal network hosts, especially for some of the less-used test accounts I create when experimenting. My router/firewall is definitely an exception to that. I also needed to ensure that all of the passwords are encrypted with yescrypt. yescrypt is a more secure encryption method than is the previous SHA-512 method.

How to determine the password encryption method

Before we go much further, we need to take a short side-trip to understand just a little about the /etc/shadow file, which contains the encrypted passwords for accounts that have them.

The /etc/shadow file contains a line for every user ID on your Linux system. This is where the encrypted passwords are stored for users on your system. Most of those UIDs are for system accounts and don’t have passwords. Human users are usually few on today’s systems so you’ll only find two or three accounts with passwords. The three IDs shown here illustrate a bit about what this file looks like. The lxdm account is for the lxdm display manager and it doesn’t have a password — like many other system accounts. That’s indicated by the exclamation point (!), aka, the “bang,” in the second field of the shadow entry, which is the password field.

The second account is for a test user that I use for experimentation and it does have a password. The first three characters of the password field in this entry are $6$ which is used to specify the encryption method used. In this case, the 6 indicates that this password is encrypted using the SHA-512 method.

lxdm:!:20193::::::
testuser1:$6$j9T$oQeeqedOSQWS9YaLHAGDG$O8<SNIP>6lyGx7UFtg4:20363:0:99999:7:::
testuser2:$y$W3gDNhne4mCFishV$kTYsium<SNIP>1Riko^TEjKjfJv0:19631:0:99999:7:::

The last line in this sample is another test user I created. In this entry, $y$ indicates that this is already a yescrypt password so doesn’t need to be changed — unless it’s time to change it based on its age.

How I did it

Since testuser1 still uses SHA-512 encryption, it needs to be changed to yescrypt. It’s truly simple. Just change the password as you normally would using the passwd command — or the user management GUI application if your GUI desktop provides one. No special options are required.

So now sudo

The first passwords I changed were the root passwords on all my systems. I’d previously created very long and random passwords for my firewall system so that all the script kiddies can bang their heads on it all they like. But long, complex passwords can’t be memorized, and writing them down is — well, just shoot me now. That means that I need an easier method to boost my privilege level to root when necessary.

Seth is one of the editors for Both.org, and we’ve had an ongoing discussion about using su – vs sudo. I have been all-in for su because it’s the historical method and sudo is for providing limited access to a few commands for non-root users. Seth’s preference is for sudo because it’s more secure.

So, much to my chagrin, Seth, I find that the sudo command becomes necessary.

A final thought

So — yeah — I’m also going to be more proactive about changing passwords.