[GRLUG] Distro's - was GRLUG test comment
rlauzon at gmail.com
Thu May 4 19:03:17 EDT 2006
Tim Schmidt wrote:
> _A_ normal user. As in one. The first one setup on the system.
> Which is, presumably, you. Since you installed the OS.
So, we now have a normal user that is allowed to run commands a root
without verification that he can do so.
> No it can't. It must supply your password to do so, which is one-way
> hashed on your drive.
Ya, so? All that supplying my password proves is that I am me. That's
it. It doesn't prove that I should be running things as root.
> The secret is the user's password.
> It checks your password, and the sudoers file.
And since the user has all the power of root, he can change the sudoers
file. Not much security there either.
On my Mandriva system, the install sets up root and asks for the root
password. Then it asks me to set up a "normal" user - this is what I
log in as to do my normal things. When I need the power of root, I must
supply the root password, proving that I should be doing those things as
On Ubuntu, the install doesn't install a root password, but asks me to
set up a "normal" user. It then proceeds to give this "normal" user all
the access of root, with only the minor speed bump of having to enter
the user's password as "security". In my professional opinion, this
isn't secure and wouldn't be permitted on any corporate system. Home
system, maybe, but not anything more than that.
Think of a non-computer savvy user. He runs a neat "utility" that he
just downloaded. He's used to getting popups that ask for his password
from other programs. This "utility" does that too. But this "utility"
it a trojan that proceeds to infect his system with some sort of malware.
So, to secure the system, we have to create yet another user. One that
can't sudo (or may be able to sudo only certain commands), leaving the
first user ID set up to be, in effect, root.
Or, set up the root password and remove the first user from the sudoers
Either way, we end up with the same configuration as my Mandriva system
- but instead of getting it automatically, I had to think about it and
configure it myself.
Ron Lauzon - rlauzon at acm dot org
DNRC: Lord of All Things That Are Fattening
"To be sure, conservative radio talk show hosts have a built-in
audience unavailable to liberals: People driving cars to some
sort of job." - Ann Coulter
Microsoft Free since July 06, 2001
Running Mandriva Linux 2005LE
More information about the grlug