why would a general-purpose distro not add users to sudoers file?
I tried a different distro, and found that I could not sudo because the distro's default policy apparently was to not add users to the sudoers file. Fine, so I'll re-learn how to edit sudoers--I haven't had to do it manually in many years. I just wonder why a general-purpose distro like the one I'm using would not add me to sudoers automatically. I can understand why some security-niche distro would not; but otherwise...who doesn't need to sudo? How would one keep their software upgraded, and avoid using root, if they can't sudo?
|
Most distros didn't add users automatically to sudo, as a safety feature, it's only recent times that most now do. ;)
(When I started using Linux, you always had to use the root user login to change anything on a system.) |
Automatically adding users to /etc/sudoers can be viewed as a security risk. The admin should decide who should be allowed to use sudo.
You forgot to mention what distro, but IMO Slackware does is right. After install I need to decide who gets to use sudo and what they can do. Note, sudo(8) vs root. Most people set up sudoers with people being allowed to do anything. sudo is only beneficial because it logs commands and you can restrict people by commands they can do. If you do not restrict what people can do, you might as well su to root :) For example, in my sudoers, I restrict what I can do by having items like these. Also I bypass the PW prompt for low risk items. Code:
MYID ALL=(ALL) NOPASSWD: /sbin/mount |
Debian's installer only ads the primary user to sudoers if you don't set a root password. I find this slightly annoying, and the way they word it in the installer, it seems like they are recommending using root instead of sudo! But I always leave it blank, which saves me a minute setting up sudoers later, and also of course prevents evil haxors from ever logging in as root.
|
As jmccue pointed out, the original idea of sudo was on networks. The administrator could delegate certain tasks to trusted users by adding them to sudoers and specifying exactly what command(s) they were allowed to use.
If you are using sudo, you are not "avoiding root" — you are becoming root as much as if you used su. You are also making the computer less secure. Have a look at my main distro's sudo policy: PCLinuxOS and sudo |
That link from PCLOS was a good read. I knew sudo global was effectively root but I never thought about it much as I'm the only user on my computer. But I don't keep my password to difficult so I think I need to make some changes. 8-10 years, still seeing things in a new light every day.
|
Quote:
|
Quote:
And I read that pclinuxos post from 12 years ago, he gives no reasons at all as to why a user account with sudo is less secure than root account that doesn't even need to type sudo to do damage. A normal user cannot use sudo, only users specifically configured as sudoers. The author of that post sounds like a grumpy crackpot. And I've never heard anyone call Ubuntu "The Buntus" before, wtf is that about? He made up (and thankfully defined) his own abbreviation to use his made up word just for that post. I wonder if this is his typical behavior. |
What little I know about sudo was learnt reading threads like this one…I’ve never used it.
When I was working, if I needed something done which needed root privileges, I asked an administrator to do it. (Put in a ticket) (I never worked as an admin) On my own servers, I use su - when needed. |
Quote:
The universal sudo thing was first used by Knoppix, I think, and was revolutionary then. It came in very useful on a live distro that was often used for system rescue. Ubuntu was the first permanently installed distro to use it (only for the first registered user afair). AntiX used to do belt and braces: the first user had universal sudo rights but there also had to be a root password. In the last AntiX that I installed (AntiX-23) the root password had become optional. Having a root password is very useful to correct the sudoers file if you make a mistake while editing it, because then you can't use sudo at all. Our friend sundialsvc recommends that you create a second user without sudo rights and do all your internet work in that name. |
Quote:
|
This may come as a shock to some, but the core drivers I install often do not include sudo in the basic install. If I want it I install it during setup. (I have a different escalation tool I prefer)
Sudo can be a great tool, but it is often misused or misconfigured in ways that present a needless vulnerability. Automating doing it wrong is not the same as doing it right. |
Quote:
Anyway, how to tell a script kiddie ? See if you are getting ssh requests for 'root' in your log. Quote:
Also most User IDs are probably a name, so dictionary attacks are probably simpler then a PW attack. Also these days, at least here, I am sure we all have rather secure passwords that a dictionary attack will take decades if not centuries. But on my systems, all logins through ssh disables password logins. |
Quote:
|
Quote:
|
All times are GMT -5. The time now is 06:06 PM. |