Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Systemd at least has a point, it is just that it goes much further than the point... Sudo-only is pointless and something I have had issues with in Ubuntu in the past.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,672
Rep:
Quote:
Originally Posted by hazel
I'm sure that's new. Sudo-only is like systemd: it spreads by infection.
I think the sudo-only option has been around a while, a few years at least, on some installers though I don't recall whether it's the alternative install or the standard one which has it because I've used both.
Originally sudo was invented so that Senior sysadmins could delegate jobs to juniors/operators such as backups which normally require root access.
Sudo was always set to only allow specific reqd cmds (eg by backup tool) and nothing else.
This means that only Seniors used 'su -' and knew the root passwd.
Unfortunately (imho), Ubuntu decide that locking out root (I believe they create a random passwd at install) and auto adding 1st created user as sudo with complete total root access was a good idea ... sigh...
Distribution: openSUSE(Leap and Tumbleweed) and a (not so) regularly changing third and fourth
Posts: 611
Rep:
I'm pretty sure you can set a root password in ubuntu if you want to and then use 'su'. I've done it with a couple of ubuntu based distros I experiment with.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,672
Rep:
Quote:
Originally Posted by petelq
I'm pretty sure you can set a root password in ubuntu if you want to and then use 'su'. I've done it with a couple of ubuntu based distros I experiment with.
Yes, I have done that also. Apparently one can be banned from the official Ubuntu forums for explaining how it is done?
Often the arguments for misuse of sudo are along the lines of "well look what cat gets used for, not what it was originally designed for, etc...". That seems like a weak argument, invoked solely to justify poor practice. One could use a similar argument to justify starting X as the root user, etc.
The advantages are obvious, but if you're the owner/user/admin of a single user desktop you probably won't need those features. If as the owner/user/admin you're set up to do everything root can do, then it becomes pretty pointless.
Quote:
Originally Posted by 273
Apparently one can be banned from the official Ubuntu forums for explaining how it is done?
Originally sudo was invented so that Senior sysadmins could delegate jobs to juniors/operators such as backups which normally require root access.
Sudo was always set to only allow specific reqd cmds (eg by backup tool) and nothing else.
This means that only Seniors used 'su -' and knew the root passwd.
Unfortunately (imho), Ubuntu decide that locking out root (I believe they create a random passwd at install) and auto adding 1st created user as sudo with complete total root access was a good idea ... sigh...
And you are saying it is not a good idea to create the 1st user with total sudo access? I'd say this is a good idea in my opinion. As if you are setting up a remote system, you won't want to connect via root over SSH and so you'd want to default to using the 1st created user. If it isn't a multi-user system with SSH then you are probably going to be using the 1st created user as your default user anyways, which you would likely require the ability to escalate privileges from.
The bad idea is disabling su for arbitrary reasons that don't really make sense once applied to the real-world. Both su and sudo have their place and purpose.
Actually, if the 1st user has full sudo (root) rights, someone only needs to find/guess one passwd for total access.
If you have a non-priv user and have an active root (no remote allowed), then they have to get 2 passwds ...
The bad idea is disabling su for arbitrary reasons that don't really make sense once applied to the real-world. Both su and sudo have their place and purpose.
That's how AntiX does it. The first user has full sudo rights, but you also create a root password when you install, so that you can use su in an emergency. How else can you correct a bad sudoers file, without having to use something like System Rescue?
Actually, if the 1st user has full sudo (root) rights, someone only needs to find/guess one passwd for total access.
If you have a non-priv user and have an active root (no remote allowed), then they have to get 2 passwds ...
If your password is leaked/cracked that quickly, it can almost be assumed (and SHOULD be assumed) that both passwords got leaked/cracked that quickly, meaning you'll wanna reinstall the system from scratch. As you'll note, I said a remote system. Also as we are talking a remote system, you should be disabling password authentication anyways and enabling SSH keys as a very very early step, so even with Sudo, you'd need a private key and a password which is much more secure than two passwords.
Generally, I do not believe the root password should be used remotely as in some cases the root password may need to be used locally by onsite engineers to perform certain tasks (I.E. fsck on a potentially corrupted partition). Any password in common usage should be rotated out systematically, which can cause issues if the onsite engineers then don't know the root password because it got changed and the system is down after a reboot, requiring maintenance at local console.
Quote:
Originally Posted by hazel
That's how AntiX does it. The first user has full sudo rights, but you also create a root password when you install, so that you can use su in an emergency. How else can you correct a bad sudoers file, without having to use something like System Rescue?
RHEL/CentOS can also be set-up like this, it gives you the configuration options during installation, iirc it has a checkbox that says "make this user an administrator", that will automatically set-up the user with full sudo rights. And I believe su is also always available by default too.
Last edited by r3sistance; 02-21-2017 at 02:14 AM.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,672
Rep:
The reason I don't use sudo is because I run single-user systems I own so I have no use for it. For some tasks it makes things more difficult if sudo is used so to me it's more trouble than it's worth.
A side-effect of sudo setup in Ubtuntu, which one cannot really blame Cannonical for, is the "sudo addiction" some seem to suffer from where they seem to start any terminal command with sudo.
I like sudo because it's convenient. For a sequence of root operations, I use su, but it seems like overkill to start a new session for just one command. I know you can use su -c, but then you must put your command and its arguments in quotes, which is a complication I can do without.
The first thing I do on a new system is to uncomment the permissions given to the wheel group in most standard sudoers files and then add myself to that group.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.