xy16644 said:
[*] What is the maximum length of a root password in FreeBSD 9.1? (if any)
That is a cool question, but unfortunately also one easily answered. The
passwd(1) manual page tells you all about it:
Code:
The new password should be at least six characters long (which may be
overridden using the login.conf(5) ``minpasswordlen'' setting for a
user's login class) and not purely alphabetic. Its total length must be
less than _PASSWORD_LEN (currently 128 characters).
I don't know about you, but I got immediately intrigued with a follow-up question: "What is this
_PASSWORD_LEN exactly?" (though I had a suspicion due to the way of writing, even though I'm not a C programmer).
This is what programmers call a
constant. This is a variable which has a pre-defined value which cannot (and should not) be changed. In several languages (my personal experiences lie in Java, C#.NET and VB.NET) it's quite common to use CAPITAL letters to make sure people realize what they're dealing with.
And as a bonus (maybe useless, but I think it's fun): this constant is set in
/usr/include/pwd.h, what do you know:
Code:
smtp2:/usr/include $ grep PASSWORD_LEN pwd.h
#define _PASSWORD_LEN 128 /* max length, not counting NULL */
The reason I think this is a very cool question is because I once tried to find this same kind of information for Linux. Lets just say it's not as transparent as the examples I've shown here
xy16644 said:
[*] If I am the only admin/root user on a server, is there any point to using sudo? I know you shouldn't use root but I currently do.
Now, this is another good question in my opinion, but.. Also one which doesn't have a straight answer I think, it will most likely be based on personal opinion, personal experiences as well as the situation at hand.
Yes, there is a point to
sudo, just like there's a good point to
not using
sudo (hey; no one said this was going to be easy
).
From the top of my head, some advantages of using
sudo:
- You don't need to type the root password, thus if you are affected by a key logger of some sorts they'll only get your password. (critical note: then log on using your account, abuse sudo, and you're in trouble anyway).
- You don't need to type the root password every time, sudo can remember it for an x amount of time. (critical note: and now your password becomes semi-accessible in 2 places at once).
- sudo can also be used to automate certain commands or maintain / mimic certain environments.
- You can also use sudo to execute programs as another account, not perse the root account.
But as I mentioned earlier there are also plenty of reasons not to use
sudo. For example; by default it's set
SUID and is owned by
root. Thus effectively gaining
root privileges the moment you start it:
Code:
[peter@ikari ~]$ ls -l `which sudo`
---s--x--x 2 root root 219272 Aug 6 2012 /usr/bin/sudo
(disclaimer: this is a Linux example, I don't use
sudo on any of my FreeBSD servers, yet have reasons to assume the situation is the same).
xy16644 said:
I'm trying to understand the pros/cons to using my own account (that is in the wheel group) with sudo versus logging in as the root user.
If with "logging on as
root" you meant to say "logging on as
root using SSH" then you should
really change your ways, but it doesn't have to be using
sudo. Why not simply use
su
to gain
root privileges?
Better yet: if you need to have the exact environment which
root has, why not simply use
su -
?
In general:
Never,
ever, directly log on as
root using the network.
I know you could easily use a firewall to block access to SSH and only permit it for your own IP address, but you'd still be taking a huge risk. One which you don't need to take because you'd only need 1 simple command after logging on to gain
root privileges.
xy16644 said:
I fully understand why servers with multiple admins need sudo for audit purposes but is there any point of me running sudo if I am the only admin of the server?
In my personal opinion no. In fact, I would recommend not using
sudo due to the SUID bit being set.
However, I know I'm repeating but I honestly consider this important to stress out: I would
strongly recommend using
su instead (this is assuming you're not and also currently logging on directly as root over the network).
xy16644 said:
I also don't understand the difference between using a password and NOT using a password with sudo; why do you need to enter your own password each time to become root (or have root rights)?
Simple.
At the time of writing my girlfriend sits in the living room watching.. I don't know, but for argument sake let's assume I don't trust her like I do, I'm logged on as myself on my server and
sudo doesn't require passwords.
She knows some of my customer websites deal with credit card payments, got this nice PHP routine from a "friend" and I need to go to the toilet for a "long break". I need to go NOW so I don't bother to log out or lock my terminal because it's 1am and she's my girlfriend.
What's now stopping her from becoming
root, add some extra stuff, remove her own tracks (remember:
root is all powerful), get me an extra beer and then sit on the couch as if nothing happened?
This is merely an extra layer of protection; making sure no one can "just" gain root privileges by abusing your account.
It's the same reason why you'd need to enter your current password when using
passwd before you can give a new one (but I liked my previous example a lot better :e).
xy16644 said:
When people use sudo, do they normally just prefix all commands with sudo or is it better (or easier) to become root using sudo -s
That depends. On Linux I often used
sudo mc
, then got to work and eventually logged off again. I also often used single commands.
It really depends on what you need to do, there is no definite answer here I think.
Hope this can give you some ideas.