[GRLUG] Distro's - was GRLUG test comment

Tim Schmidt timschmidt at gmail.com
Thu May 4 17:29:55 EDT 2006


On 5/4/06, Ron Lauzon <rlauzon at gmail.com> wrote:
> Huh?  Did you READ what I wrote?

Yes.

> Ubuntu lets a normal user run things as root and the only protection it
> has is for you to type in THE USER'S password (not the root password).

_A_ normal user.  As in one.  The first one setup on the system. 
Which is, presumably, you.  Since you installed the OS.

> Highly insecure.

Please, do explain.

> Right now, on my Mandriva box, if some malware were to drop a script and
> run it on my PC, the worst it could do is mess up my user area.  But on
> Ubuntu, it could mess up the whole system if the user isn't paying
> attention.

No it can't.  It must supply your password to do so, which is one-way
hashed on your drive.  It has no way of getting it other than you
typing it in, please explain how that's less secure than giving the
root account it's own password.

> Yes, more Windows-like since it lets the user do super-user things
> without knowing some secret (which is usually root password).

The secret is the user's password.

> While not as insecure as Windows, it is certainly much less secure than
> my Mandriva system.

Not at all.

> You missed my point: a normal user should never be able to do that
> without providing some sort of proof that they have permission to do
> that.  Ubuntu has no such check.

It checks your password, and the sudoers file.

--tim


More information about the grlug mailing list