[PLUG] su/sudo [Re: Backup problems (urgent)]

[Micah Cowan]

On Mon, Aug 18, 2014 at 10:16 AM, Robert Miesen <robert.miesen at gmail.com>
wrote:

> there are some things that a "99.9% root"
> shell can't do that a "true root" shell can do. I don't remember off the
> top of my head what those are, but maybe someone else on this mailing
> list will.
>

There's no such thing as 99.9% root. You either have uid 0, or you don't.
You could conceivably drop some privs with setpriv (I think?), but neither
command does that of course.

It's only slightly more complicated than that, as there are two "user ids"
(real and effective). Both su and sudo set both uids (getting the effective
one by virtue of being setuid binaries, and then setting the real id
explicitly). You can verify this with "su -c id -r" and "sudo id -r".

It is therefore impossible for a difference to exist between sudo's root
and su's root. They are both 100% pure root. There are potential
differences in environment, owing to whether or not HOME is set
appropriately, whether this shell is tracked by the login facilities
utmp/wtmp, and of course the fact that sudo tries to remove potentially
dangerous environment settings so the user doesn't shoot himself in the
foot by mistake (as configured in /etc/sudoers). But claims you can "do
stuff in su's root that you can't in sudo's" are just plain wrong.

FWIW, I don't care whether people use su or sudo. This conversation may
make me seem like a "sudo evangelist" or something, but I really don't give
a shit what people use for themselves. But folks should have accurate
information before they decide what tool's best for them, and taking time
to criticize someone's advice on the basis that they recommended using
"sudo cp -a" because "it can't do everything su does", belies a fundamental
misconception about Unix/Linux uids and permissions.

-mjc