21. Limit SU users and SUDO
The Unix ‘su’ command allows you to become another user
without logging off. It is handy
for system administrators to use if they need to telnet into a remote machine
(or, better yet, Ssh into a remote machine).
Many systems will not allow you to telnet in remotely and log into root.
This is done as a security precaution.
Instead, you should telnet in as some other user, then use ‘su – root’
to log into root. This is more
secure because it will be logged into the su log file.
Failed attempts are also logged, so it is good practice to examine your
su log from time to time and find out who has been trying to get root on your
system.
Sudo (superuser do) allows a system administrator to give
certain users (or groups of users) the ability to run some (or all) commands as
root while logging all commands and arguments.
This could be used, for example, to allow a non-root user to run your
backups for you. For more
information about Sudo see http://www.courtesan.com/sudo/.