[GRLUG] Distro's - was GRLUG test comment

Collin adderd at kkmfg.com
Thu May 4 17:44:43 EDT 2006 

But the problem is that, in Ubuntu, the first user setup can do ANYTHING 
they want w/ sudo by just giving their own password. Sure, you have to 
enter your password but it still doesn't really do it's job of 
preventing a normal user from doing something dumb. Sure, it will ask 
for their password if they type rm -rf but it will not warn them why 
that's a really bad idea. Basically, that user IS root but with an extra 
password prompt before you do anything.

If a knowledgeable person is running Ubuntu then it's setup is probably 
fine. They'll be able to run their root commands without needing to be 
root and with the extra security of a password prompt. However, I'd 
doubt that it's sufficient protection against destruction in the hands 
of a novice.

I'd agree that sudo is better 'when properly configured.' I'm not sure 
Ubuntu fits that classification.

Tim Schmidt wrote:
> >From the wikipedia article on su
> (http://en.wikipedia.org/wiki/Su_%28computing%29):
>
> ----
> A related command called sudo executes a command as another user but
> observes a set of constraints about which users can execute which
> commands as which other users (generally in a configuration file named
> /etc/sudoers). Unlike su, sudo authenticates users against their own
> password rather than that of the target user (to allow the delegation
> of specific commands to specific users on specific hosts without
> sharing passwords among them and while mitigating the risk of any
> unattended terminals).
>
> Great care must be taken by a system administrator to choose a
> suitable password for the root account, to prevent any possible
> takeover by a low level user running su. Some Unix-like systems have a
> wheel group of users, and only allow these users to su to root. This
> may or may not mitigate these security concerns, since an intruder
> might first simply break into one of those accounts. GNU su, however,
> does not support a wheel group; this was done for philosophical
> reasons. [1]
> ----
>
> Enough said.
>
> --tim
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
>

More information about the grlug mailing list