8

The only thing that distinguishes my admin account from normal accounts is that my admin account is a member of the sudo group and can run sudo. Is it any less secure to use my admin account for daily work? If yes, why?

Assume that I am very careful where I enter my password and know what a command does before executing it, of course.

If I used a normal non-admin account for my daily account, when I needed to run something as root I would su into my admin account (not into root, as that has no password and is disabled!) and there run the sudo command in the admin shell; or, I would switch users graphically. Thus, the amount of commands that would be run is the same -- using a normal account would just mean that I have to enter my admin password twice when running something as root.

So, should advanced users do everyday work on a normal account instead of an admin account? And why or why not?

Please note that by "admin account" I mean an account with privilege to use sudo to run commands as root - not the root account itself. I never log in as root.

D.W.
  • 381
Byte Commander
  • 107,489

5 Answers5

10

An account that can sudo is technically as able as the root account (assuming a default sudoers configuration behaviour) but there is still quite a big difference between root and an account that can sudo:

  • Accidentally omitting a single character won't destroy Ubuntu. Probably. Consider trying to delete ~/bin but actually running rm against /bin. If you aren't root, there's less risk.

  • sudo requires a password, giving you those milliseconds to work out any mistakes. It also means that other applications don't have the ability to do rooty things on your behalf.

This is why we recommend people not use the root account for everyday work.

Insulating yourself with another intermediary "admin" account (and running as a user without sudo access) is just another layer. It should also probably be a different password.

It's extra fuss though and (per your question conditions) if something can sniff out your first password, they can probably get the second just as easily. If you never ever made mistakes, and never use these strong passwords anywhere else (not guessable or crackable), this solution is probably no more secure. If somebody wants root they'll boot into recovery, chroot, or use a wrench.

There is also a school of thought that points out that [for non-enterprise desktop users] nothing you value is protected from your user. All your documents, photos, web browsing history, etc is owned and accessible by you or something running as you. Just as you can run something that logs all your keystrokes, views your webcam, listens on your microphone, etc.

Simply put, malware doesn't need root to ruin somebody's life, or to spy on you.

D.W.
  • 381
Oli
  • 293,335
  • 1
    Sorry, you understood my question not entirely correct. I never considered logging in as root. My options are just logging in as admin (sudo etc. group member) - - or - - logging in as normal/restricted user usually and graphically or in a terminal via su switching to the admin (entering admin password) and then using sudo from there (entering admin password again). – Byte Commander Nov 10 '15 at 11:35
  • On your point regarding getting the second password just as easily, that doesn't have to be the case. I manage my desktop machines with Ansible, which connects to an admin account via ssh. The user accounts do not have sudo privileges, and there is no need to ever use an admin account physically on the desktop (in fact it is undesirable, because I don't want my machines being messed with individually and falling out of sync with the rest). – Jon Bentley Nov 10 '15 at 14:10
  • @ByteCommander The second half of the answer is based on what you wanted but the reasons for it are an extrapolation from the normal root-vs-admin argument. It's another layer of the same thing. – Oli Nov 10 '15 at 14:31
5

No risk while not root

From my understanding for an administrator, or sudo user it is working just like a normal desktop user as long as we don't say sudo - so there should be no additional risk.

Risk of accidentally becoming root

It is also true that a user having potentially admininistrator permissions needs to watch out at bit closer where, when, or whom they give away their password.

I can imagine (though I never met one) an evil application or a script asking you for your password without telling you what for. It likely will perform something with root permissions, as it would not need your password otherwise. If I don't know what this application does I would simply not give it my root password.

We are also responsible to dismiss root permission again after we are finished. It always is a bad idea to stay root while working with a graphical application such as e.g. Nautilus.

Risk of losing root access

Another "risk" may be that you do something bad with your account that prevents you from logging in. Therefore I always create at least two administrator users on any box I install Ubuntu to. This is for the case something breaks my main account.

Community
  • 1
Takkat
  • 142,284
  • The first answer that actually addresses the question. Thanks! As I said, I (at least assume that I) am careful where to enter my passwords and what commands to run. But I don't get why you need two admin accounts when there is still the recovery-mode root shell? – Byte Commander Nov 10 '15 at 12:41
  • @ByteCommander That only works if you have physical access to the computer. – Jon Bentley Nov 10 '15 at 13:55
  • @JonBentley I have. It's about my home computer in this case, that means I have physical access only. – Byte Commander Nov 10 '15 at 14:47
  • Err, NO. I have an attack for gaining sudo privileges myself running from an account that uses them. – Joshua Nov 10 '15 at 19:53
2

Yes, there are risks. Whether or not those risks are big enough for you to care about is a matter of preference and/or your security policy.

Any time you use a computer, you are always at risk from attackers. Even if you run an extremely secure setup, you cannot protect against as-yet unknown vulnerabilities.

If you are using an account without sudo privileges and that account is compromised due to that use (e.g. a keylogger grabs your password), then that adds a limitation on the damage that can be done. If an attacker compromises an account with sudo privileges then they gain those privileges too.

On most systems, using sudo will cause your password to be remembered for 15 minutes by default, which is another risk factor, unless you change that setting.

Jon Bentley
  • 709
  • Was going to mention the caching of the right-to-elevate as a potential risk: an unknown script could potentially contain a sudo command that will go unchallenged, but unless the writer could be moderately sure you will have issued a sudo command recently, in normal circumstances it would ask for the password which should be a red-alert that something odd is happening. – TripeHound Nov 10 '15 at 15:49
  • @TripeHound Alternatively, you step away from the computer for a bathroom break, having just authorised a sudo command, and someone else steps in. I don't see a distinction in risks between potential or otherwise - the word risk merely implies that there is some non-zero probability of an undesirable outcome. Yes, in normal circumstances you would notice the password request. Does your attacker, who planted that script on 1000 computers and doesn't have a specific target in mind, care? – Jon Bentley Nov 10 '15 at 17:42
0

I run exactly like that: One user where I do my user stuff and one user where I do only admin stuff an no user stuff. Even the command prompts are different: users have a green prompt and admins a red one!

Why?

The user had its own settings for all of the applications that I use separate from the admin user, which allows you to:

  1. Debug whether an issue is user-related or system related
  2. Have the admin account as a backup user account instead of the guest account and root account if anything goes really wrong with your user settings and you cannot log on any more.
  3. keep admin docs and user docs separated in their respective home directories if you choose to do so.
  4. No effect when typing an accidental sudo before a command.
  5. No way to actually see what a normal user is not supposed to see.
  6. No way of hitting a user privilege escalation bug. (there have been a few in the past)
  7. Be a "normal user" just like all the other users on your computer and know what the advantages/disadvantages are.
Community
  • 1
Fabby
  • 34,259
  • Okay, but having "admin docs" (which I don't really have) and "user docs" separated is a big downside in my opinion, as I always want to have all my data in one place (plus backups of course). Same for settings. They're basically the same, I even use the same Firefox/Thunderbird profiles from a shared directory. And there are other normal user accounts from other family members etc. as well, I'm just talking about my owns. I'm looking forward to further explanations as promised in (4.), but you did not really convince me yet, rather the opposite. :-/ – Byte Commander Nov 10 '15 at 12:46
  • Been busy with RL. Seems like you have an accepted answer already, but added some more reasons as promised! ;-) – Fabby Nov 10 '15 at 23:35
  • 1
    Now it's worth an upgoat! :D – Byte Commander Nov 11 '15 at 13:27
0

My opinion-based answer, because everything would have to be proven mathematically, and from that I have no idea. ;)

Two accounts one with groups adm and sudo, means one account have the right to execute commands with sudo rights. One without this privileges.

  • If you have cracked the password for the non-privileged account, then you still have to crack the password for the privileged account now. -> Advantage in comparison with only one account
  • If you have cracked the privileged account. -> No advantage in comparison with only one account

The probability is 50% if you do not respect the intelligence of the attacker.

From my perspective, it's theoretical a very little security benefit and belongs more to the realm of probability theory. But the loss of convenience increases disproportionately. It depends on how smart the attacker is. Do not underestimate this intelligence. That's a false sense of security.

In other words, no, it brings you no measurable benefit, but you lose a lot of convenience. At the end everyone must decide for themselves.

A.B.
  • 90,397