[GRLUG] Distro's - was GRLUG test comment

Raymond McLaughlin driveray at ameritech.net
Thu May 4 22:21:53 EDT 2006


Tim Schmidt wrote:
> On 5/4/06, Ron Lauzon <rlauzon at gmail.com> wrote:

>> In which case, you have a "privileged" user account and a "regular" user
>> account and no root user account.
>>
>> So what's the difference between that and having a regular user account
>> and root?
> 
> Ok...  here's the drawing...
> 
> ==you==
> Root - no restrictions
> User - many restrictions
> 
> ==sudo==
> Root - completely disabled
> Admin - Regular user, ability to escalate privileges to do special stuff
> User1 - Regular user, ability to run widgetfrobber with escalated
> permissions because she needs it for her job, restricted otherwise
> User2 - Regular user, many restrictions

In this scheme it seems that user Admin (actually, caps in user name is commonly 
frowned upon, but ...) can sudo *any* command. Basically any user who can 'sudo 
bash' can then run everything else as root from then on. So in this case brute 
forcing Admin's password is as good as brute forcing root.

If no one is actually named 'admin', guessing which user to brute force on a 
basic Ubuntu system is simple. If you "ls -n /home" and go for the user with the 
lowest uid you'd probably guess right.

Of course a with a more elaborate, custom config, sudo can be used to dole out 
more fine grained priveleges. But you could do that with or without a root login.

So it seems to me that a scheme that allows any given user the power to sudo 
*anything* is more about cultivating prudent habits than security per se.

Sorry if I misunderstood your discussion.

Raymond McLaughlin


More information about the grlug mailing list