why would a general-purpose distro not add users to sudoers file?
 

I tried a different distro, and found that I could not sudo because the distro's default policy apparently was to not add users to the sudoers file. Fine, so I'll re-learn how to edit sudoers--I haven't had to do it manually in many years. I just wonder why a general-purpose distro like the one I'm using would not add me to sudoers automatically. I can understand why some security-niche distro would not; but otherwise...who doesn't need to sudo? How would one keep their software upgraded, and avoid using root, if they can't sudo?

Most distros didn't add users automatically to sudo, as a safety feature, it's only recent times that most now do. ;)

(When I started using Linux, you always had to use the root user login to change anything on a system.)

Automatically adding users to /etc/sudoers can be viewed as a security risk. The admin should decide who should be allowed to use sudo.

You forgot to mention what distro, but IMO Slackware does is right. After install I need to decide who gets to use sudo and what they can do.

Note, sudo(8) vs root. Most people set up sudoers with people being allowed to do anything. sudo is only beneficial because it logs commands and you can restrict people by commands they can do.

If you do not restrict what people can do, you might as well su to root :)

For example, in my sudoers, I restrict what I can do by having items like these. Also I bypass the PW prompt for low risk items.

I am setup to execute only some commands via sudo(8).

Debian's installer only ads the primary user to sudoers if you don't set a root password. I find this slightly annoying, and the way they word it in the installer, it seems like they are recommending using root instead of sudo! But I always leave it blank, which saves me a minute setting up sudoers later, and also of course prevents evil haxors from ever logging in as root.

As jmccue pointed out, the original idea of sudo was on networks. The administrator could delegate certain tasks to trusted users by adding them to sudoers and specifying exactly what command(s) they were allowed to use.

If you are using sudo, you are not "avoiding root" — you are becoming root as much as if you used su. You are also making the computer less secure. Have a look at my main distro's sudo policy: PCLinuxOS and sudo

That link from PCLOS was a good read. I knew sudo global was effectively root but I never thought about it much as I'm the only user on my computer. But I don't keep my password to difficult so I think I need to make some changes. 8-10 years, still seeing things in a new light every day.

Me. When I install a new OS, the first thing I do after first boot is give root a good password. Users and Super User .... No gray area. Keep separate as I think it should be. Matter of choice :) .

If you are using sudo because you have disabled the root account or never set it up to begin with ("avoiding root"), does that not make the computer MORE secure? It means someone can't brute force/dictionary attack as root, as no password will EVER work. They would have to brute force a username+password combo, which is exponentially less likely to ever get than just a password, so seems significantly more secure to me, at least from that particular type of attack. In what case would it be "less secure" as you suggest?

And I read that pclinuxos post from 12 years ago, he gives no reasons at all as to why a user account with sudo is less secure than root account that doesn't even need to type sudo to do damage. A normal user cannot use sudo, only users specifically configured as sudoers. The author of that post sounds like a grumpy crackpot. And I've never heard anyone call Ubuntu "The Buntus" before, wtf is that about? He made up (and thankfully defined) his own abbreviation to use his made up word just for that post. I wonder if this is his typical behavior.

What little I know about sudo was learnt reading threads like this one…I’ve never used it.
When I was working, if I needed something done which needed root privileges, I asked an administrator to do it. (Put in a ticket) (I never worked as an admin)
On my own servers, I use su - when needed.

I'm surprised you never came across that word before. It's been a familiar usage to me for years. Ubuntu (uniquely I think) has different names for essentially the same distro depending on what default desktop you choose: Ubuntu, Kubuntu, Xubuntu, and there used to be one or two other unofficial ones. So people used to refer to them collectively as The 'Buntus. Maybe they don't do that so much now.

The universal sudo thing was first used by Knoppix, I think, and was revolutionary then. It came in very useful on a live distro that was often used for system rescue. Ubuntu was the first permanently installed distro to use it (only for the first registered user afair). AntiX used to do belt and braces: the first user had universal sudo rights but there also had to be a root password. In the last AntiX that I installed (AntiX-23) the root password had become optional.

Having a root password is very useful to correct the sudoers file if you make a mistake while editing it, because then you can't use sudo at all.

Our friend sundialsvc recommends that you create a second user without sudo rights and do all your internet work in that name.

No, I deliberately omitted that until anyone asked, because I wasn't very interested in discussing the specific distro. If you want to know, it's Peppermint. Before that, I used MX, which does add to sudoers automatically; and having used MX for nine years previously, I forgot how to add myself to sudoers.

This may come as a shock to some, but the core drivers I install often do not include sudo in the basic install. If I want it I install it during setup. (I have a different escalation tool I prefer)
Sudo can be a great tool, but it is often misused or misconfigured in ways that present a needless vulnerability.
Automating doing it wrong is not the same as doing it right.

That is security through obscurity. If you are on the net, you should set ssh never to allow login by root. I think that is the default for ssh, so having root enabled is not an issue. If someone has physical access, then security is a moot point :)

Anyway, how to tell a script kiddie ? See if you are getting ssh requests for 'root' in your log.

Getting someone's User ID is probably not that hard, just look at posts on LQ or other forums :)

Also most User IDs are probably a name, so dictionary attacks are probably simpler then a PW attack. Also these days, at least here, I am sure we all have rather secure passwords that a dictionary attack will take decades if not centuries.

But on my systems, all logins through ssh disables password logins.

I'm not clear on that as pretty much every Linux OS using sudo as default creates a primary user with sudo privilesges. Are you saying the install of Peppermint did not do that? That would be very surprising. Of course the installs only create one user with root privileges and if you have no user with root privileges you would likely need to do something from a 'live' system. Other users can be given different privileges and that is discussed above and is generally used to give another user permissions to do specific tasks. Generally recommended to use visudo but other text editors may be used although I don't know how well it might work.

Yes, responders to my various threads can't make assumptions, since they don't know me; but they clearly aren't assuming that I might be the admin, which I am. People clearly always assume by default that I run some kind of multi-user system as Linux was designed for. Nope. There's never been anyone but me. I am the user, and I am root (notwithstanding that I normally avoid root). I may be on a network, but no one else effectively has access to my account. My wife has no idea how to do anything using Linux, and isn't interested...doesn't know my user password because she never asked...