Linux missing the ‘sudo’ boat

Having been out of the game for a while, I’ve been doing a bit of playing with Linux lately. My exposure to Linux over the past couple of years has been limited to back-end system stuff. It’s true, my trusty Apple PowerBook has relegated desktop Linux to a mere footnote in the evolutionary track of my technological development.

Every so often, I get a pang of regret or guilt that I use great deal of commercial software these days. It’s not an overwhelming feeling, and it soon passes. But on certain crisp autumn evenings when the wind is blowing through the trees, I hear Pete Seeger faintly singing “Die Gedanken Sind Frei”. Then, I have a vision of our dystopian, DRM encumbered, thought controlled, Digital Millennium Copyright Act (you damn dirty apes!) future, and I think that maybe I should step up and be part of the solution.

After one of these visions, I used my commercial toe jam licking PowerBook to download and burn a DVD of OpenSUSE to see if 2006 will be the year of the Linux desktop after all.

Overall, I’m very impressed—particularly with the polish and simplicity of Novell’s GNOME desktop. (KDE: what happened to you? You look awful these days!) However, one thing stuck out that made me question whether or the Linux folk “get it”: What is with asking me for a root password all the damn time? Do you have any idea how horribly wrong this is? Let’s play with a common scenario to illustrate:

Suzy Q is a systems administrator at a university managing a number of OpenSUSE desktops for three chemists, a budget analyst, and a secretary. The three chemists share three workstations around the building. The budget analyst has a laptop and likes to connect to wireless networks when she is traveling. The secretary loves playing solitaire and has an insatiable appetite for downloading new variations on the game.

For the chemists to do routine operations such as changing the screen resolution, or installing a package, they must either hound Suzy to come do the work for them, or they must know the root password. The budget analyst must know the root password to simply join the network at her local neighborhood coffee shop. The secretary is in the same boat as the chemists for installing new versions of solitaire.

Suzy doesn’t want to be a personal servant to the chemists or the secretary. And Suzy certainly cannot be everywhere there is a wireless access point for the budget analyst. So, she has no choice but to give out the root password to these people.

The sneaky chemists start using that root authority to start spying on their coworkers who use the same computers. The budget analyst has no clue what a “root” is. And the secretary immediately roaches her system by changing a configuration file.

Using this model:
violates the principle of least privilege
requires a person to know two passwords.
requires a person to understand the concept of a “root” user and when to invoke it’s name.

The Macintosh did away with using a root account entirely. The root account on my PowerBook is locked. That isn’t to say that the Mac is perfect. For example, a person is either an administrator or he isn’t—thus violating the principle of least privilege. However, a person only needs to know his password. And there is no concept of a root user in sight.

Finally, the plumbing is almost certainly there if and when Apple decides to add more granular control over administrative functions. Furthermore, the user interface paradigm doesn’t have to change to accommodate such a move.

Current Linux distributions use an “su” model to elevate user privilege. Both KDE and GNOME have graphical replacements for the old command line utility. Why, then, could they not pick “sudo” as a model? Sudo already supports allowing users to use their own credentials for privilege escalation. No two passwords. No root user.

Furthermore, sudo already supports granularity. If Linux distributions used sudo instead of su, Suzy could allow the chemists to install packages from an internal package repository, but could deny them access to each other’s files. She could allow the budget analyst to change her wireless settings without being able to install new software or modify startup scripts. Our secretary could download new versions of solitaire to her heart’s content, without being able to muck with her system settings. Even better, sudo can *log* the commands that each user runs!

To keep things simple, I suggest two levels of sudo access initially: a “power users” group that allows members to install packages, change screen resolutions, run a wireless configuration tool, etc. Generally speaking, a “power user” could run specific programs that don’t impact other user accounts. An “admin” group would be similar to the “su” model, allowing any administrator to run anything as root—but using only one password. In the case of OpenSUSE, certain YaST modules would be open to power users, but others would be closed to all but administrators.

Speaking of OpenSUSE, I have to wag the finger of shame at SUSE. Your sudo configuration is broken. Configuring sudo to ask for the root password negates the value of the utility. Why even have it when su does the same thing?

It seems I’ve been picking on SUSE a bit, but in reality, overuse of su is pandemic in the Linux community. Fix it. Use sudo instead. It’s a small thing, but Pete Seeger would want it this way.

Comments (archived)

Pingswept, on Nov. 5th, 2005 wrote:
You’ve got a legitimate gripe about using the root account. As a solution, take a look at Ubuntu Linux. Like OpenSUSE, it uses GNOME as its desktop, but they’ve taken exactly the approach you’ve advocated. As someone employed at a Mac-rich company, I’m always looking for free alternatives to the “commercial toe jam licking PowerBook.” Ubuntu isn’t perfect, but it’s frighteningly good for free.

Peter, on Nov. 5th, 2005 wrote:
I otherwise like OpenSUSE. I think the desktop is pretty attractive and functional, but maybe that is just par for the course with desktop Linux these days. Having poked around at Fedora and OpenSUSE, I was generally happy with both—minus the su issue. I hope they will buck up and go the Ubuntu route!