Subject: Re: ?What a Linux root user can do - and 8 ways you should absolutely never use it?

At Tue, 20 Jan 2026 19:47:14 -0500, c186282 <c186282@nnada.net> wrote:

On 1/20/26 16:43, rbowman wrote:

On Tue, 20 Jan 2026 21:00:59 -0000 (UTC), Lawrence D?Oliveiro wrote:

Yeah, but sudo *is* for running things as root! You think running them
via sudo is any better than however else you were thinking of doing
those things as root?

Sudo limits the damage. Become root with 'sudo su -' and you'd better not have lapses of attention. I think it was OpenSUSE where if you were root the wallpaper turned bright red with round, black bombs with smoking
fuses.

'sudo', as often implemented, is NOT safe. PI-os
doesn't even ask for yer user PW.

You CAN tweak sudoers ... tighten things up a bit,
but that's more work and, if like me, you never
use 'visudo', just 'nano', you'd better get the
syntax right.

The alt is to have NO 'sudo'. If you are concerned
about security then this may be the best and easiest
path. Open a terminal, 'su', then you need the ROOT
password.

I have a file in /etc/sudoers.d that includes this directive:

Defaults targetpw

So I need the root password to sudo to root.

--
-v System76 Thelio Mega v1.1 x86_64 Mem: 258G
OS: Linux 6.18.5 D: Mint 22.3 DE: Xfce 4.18 (X11)
NVIDIA GeForce RTX 3090Ti (24G) (580.105.08)
"Windows: XT emulator for an AT."

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: ?What a Linux root user can do - and 8 ways you should absolutely never use it?

At Tue, 20 Jan 2026 20:59:25 -0500, c186282 <c186282@nnada.net> wrote:

On 1/20/26 20:40, vallor wrote:

At Tue, 20 Jan 2026 19:47:14 -0500, c186282 <c186282@nnada.net> wrote:

On 1/20/26 16:43, rbowman wrote:

On Tue, 20 Jan 2026 21:00:59 -0000 (UTC), Lawrence D?Oliveiro wrote:

Yeah, but sudo *is* for running things as root! You think running them >>>> via sudo is any better than however else you were thinking of doing
those things as root?

Sudo limits the damage. Become root with 'sudo su -' and you'd better not
have lapses of attention. I think it was OpenSUSE where if you were root >>> the wallpaper turned bright red with round, black bombs with smoking
fuses.

'sudo', as often implemented, is NOT safe. PI-os
doesn't even ask for yer user PW.

You CAN tweak sudoers ... tighten things up a bit,
but that's more work and, if like me, you never
use 'visudo', just 'nano', you'd better get the
syntax right.

The alt is to have NO 'sudo'. If you are concerned
about security then this may be the best and easiest
path. Open a terminal, 'su', then you need the ROOT
password.

I have a file in /etc/sudoers.d that includes this directive:

Defaults targetpw

So I need the root password to sudo to root.

ROOT pass, or USER pass ???

ROOT pass (or whatever user you are sudoing to)

"targetpw" means you have to use the pw of the target
user.

And is this "sudo su" or just "sudo" ?

anything with sudo, including sudo -i

--
-v System76 Thelio Mega v1.1 x86_64 Mem: 258G
OS: Linux 6.18.5 D: Mint 22.3 DE: Xfce 4.18 (X11)
NVIDIA GeForce RTX 3090Ti (24G) (580.105.08)
"There's my way, and then there's the easy way."

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: ?What a Linux root user can do - and 8 ways you should absolutely never use it?

vallor <vallor@vallor.earth> wrote:

I have a file in /etc/sudoers.d that includes this directive:

Defaults targetpw

So I need the root password to sudo to root.

I find that a bad idea. If you know the root password, you can also
su, and thus the better control possibilities that sudo offers are
moot.

Greetings
Marc
-- ---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: ?What a Linux root user can do - and 8 ways you should absolutely never use it?

Lawrence D?Oliveiro <ldo@nz.invalid> wrote:

On Wed, 21 Jan 2026 11:19:35 +0100, Marc Haber wrote:

... and thus the better control possibilities that sudo offers are
moot.

There seems to be this feeling that sudo is overly complicated and

That surely is not a very wrong stance. sudo is quite complicated, and
I would probably have stopped using it (chaning to either runas from
the BSD universe or run0 from systemd) if I weren't maintaining the
Debian packages.

Configuring sudo to require the targetpw doesn't help with that AT
ALL, it just makes things worse.

prone to its own ongoing security vulnerabilities.

What are the currently ongoing security vulnerabilities in a current
sudo? I need to know that.

Greetings
Marc
-- ---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: ?What a Linux root user can do - and 8 ways you should absolutely never use it?

Lawrence D?Oliveiro <ldo@nz.invalid> wrote:

On Thu, 22 Jan 2026 10:40:57 +0100, Marc Haber wrote:

Lawrence D?Oliveiro <ldo@nz.invalid> wrote:

There seems to be this feeling that sudo is overly complicated and
prone to its own ongoing security vulnerabilities.

What are the currently ongoing security vulnerabilities in a current
sudo? I need to know that.

I did a quick search and found this one ><https://thehackernews.com/2025/09/cisa-sounds-alarm-on-critical-sudo-flaw.html>
from just a few months ago.

Yes, we fixed that two months before that article was published.

The list they linked to shows a couple of other items, one happening
every few years ><https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=sudo&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=>.

Old news. I thought there was a current vulnerabilty that I should
have been aware of.

Searching at cve.org shows a new one, from this year ><https://www.cve.org/CVERecord?id=CVE-2026-22536>. I even see a few >mentioning sudo-rs, which is a reimplementation of sudo in Rust.

sudo-rs is a totally independent project. I don't know zilch about
that one other than Ubuntu has decided to go that way.

Greetings
Marc
-- ---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: ?What a Linux root user can do - and 8 w ays you should abso lutely never use it ?

At Thu, 22 Jan 2026 10:40:57 +0100, Marc Haber <mh+usenetspam1118@zugschl.us> wrote:

Lawrence D?Oliveiro <ldo@nz.invalid> wrote:

On Wed, 21 Jan 2026 11:19:35 +0100, Marc Haber wrote:

... and thus the better control possibilities that sudo offers are
moot.

There seems to be this feeling that sudo is overly complicated and

That surely is not a very wrong stance. sudo is quite complicated, and
I would probably have stopped using it (chaning to either runas from
the BSD universe or run0 from systemd) if I weren't maintaining the
Debian packages.

Configuring sudo to require the targetpw doesn't help with that AT
ALL, it just makes things worse.

I agree in the case of multiple users that have to sudo to root...but
I was referring to my machine at home, with only me as a possible
superuser.

If I boot to a recovery console, it needs my root password
anyway, so having that separate would almost seem to make
sense. ;)

prone to its own ongoing security vulnerabilities.

What are the currently ongoing security vulnerabilities in a current
sudo? I need to know that.

Greetings
Marc

--
-v System76 Thelio Mega v1.1 x86_64 Mem: 258G
OS: Linux 6.18.5 D: Mint 22.3 DE: Xfce 4.18 (X11)
NVIDIA GeForce RTX 3090Ti (24G) (580.105.08)
"How come the AT&T logo looks like the Death Star?"

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)