LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-19-2017, 11:39 AM   #16
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217

Systemd at least has a point, it is just that it goes much further than the point... Sudo-only is pointless and something I have had issues with in Ubuntu in the past.
 
Old 02-19-2017, 11:47 AM   #17
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,534

Rep: Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322
Quote:
Originally Posted by hazel View Post
I'm sure that's new. Sudo-only is like systemd: it spreads by infection.
I think the sudo-only option has been around a while, a few years at least, on some installers though I don't recall whether it's the alternative install or the standard one which has it because I've used both.
 
Old 02-19-2017, 11:39 PM   #18
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.10, Centos 7.5
Posts: 17,707

Rep: Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497
Originally sudo was invented so that Senior sysadmins could delegate jobs to juniors/operators such as backups which normally require root access.
Sudo was always set to only allow specific reqd cmds (eg by backup tool) and nothing else.
This means that only Seniors used 'su -' and knew the root passwd.

Unfortunately (imho), Ubuntu decide that locking out root (I believe they create a random passwd at install) and auto adding 1st created user as sudo with complete total root access was a good idea ... sigh...

Last edited by chrism01; 02-20-2017 at 04:12 AM.
 
Old 02-20-2017, 04:02 AM   #19
petelq
Member
 
Registered: Aug 2008
Location: UK
Distribution: openSUSE(Leap and Tumbleweed) and a regularly changing third
Posts: 436

Rep: Reputation: Disabled
I'm pretty sure you can set a root password in ubuntu if you want to and then use 'su'. I've done it with a couple of ubuntu based distros I experiment with.
 
Old 02-20-2017, 05:43 AM   #20
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,534

Rep: Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322
Quote:
Originally Posted by petelq View Post
I'm pretty sure you can set a root password in ubuntu if you want to and then use 'su'. I've done it with a couple of ubuntu based distros I experiment with.
Yes, I have done that also. Apparently one can be banned from the official Ubuntu forums for explaining how it is done?
 
Old 02-20-2017, 06:25 AM   #21
cynwulf
Senior Member
 
Registered: Apr 2005
Posts: 2,413

Rep: Reputation: Disabled
You could write a book about correct sudo usage... in fact someone did: https://www.michaelwlucas.com/tools/sudo

Often the arguments for misuse of sudo are along the lines of "well look what cat gets used for, not what it was originally designed for, etc...". That seems like a weak argument, invoked solely to justify poor practice. One could use a similar argument to justify starting X as the root user, etc.

I find the sudo website quite informative: https://www.sudo.ws/intro.html

The advantages are obvious, but if you're the owner/user/admin of a single user desktop you probably won't need those features. If as the owner/user/admin you're set up to do everything root can do, then it becomes pretty pointless.
Quote:
Originally Posted by 273 View Post
Apparently one can be banned from the official Ubuntu forums for explaining how it is done?
True.
 
Old 02-20-2017, 06:47 AM   #22
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
Quote:
Originally Posted by chrism01 View Post
Originally sudo was invented so that Senior sysadmins could delegate jobs to juniors/operators such as backups which normally require root access.
Sudo was always set to only allow specific reqd cmds (eg by backup tool) and nothing else.
This means that only Seniors used 'su -' and knew the root passwd.

Unfortunately (imho), Ubuntu decide that locking out root (I believe they create a random passwd at install) and auto adding 1st created user as sudo with complete total root access was a good idea ... sigh...
And you are saying it is not a good idea to create the 1st user with total sudo access? I'd say this is a good idea in my opinion. As if you are setting up a remote system, you won't want to connect via root over SSH and so you'd want to default to using the 1st created user. If it isn't a multi-user system with SSH then you are probably going to be using the 1st created user as your default user anyways, which you would likely require the ability to escalate privileges from.

The bad idea is disabling su for arbitrary reasons that don't really make sense once applied to the real-world. Both su and sudo have their place and purpose.
 
Old 02-21-2017, 02:42 AM   #23
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.10, Centos 7.5
Posts: 17,707

Rep: Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497Reputation: 2497
Actually, if the 1st user has full sudo (root) rights, someone only needs to find/guess one passwd for total access.
If you have a non-priv user and have an active root (no remote allowed), then they have to get 2 passwds ...
 
Old 02-21-2017, 02:58 AM   #24
hazel
Senior Member
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware, OpenBSD
Posts: 4,057
Blog Entries: 11

Rep: Reputation: 2238Reputation: 2238Reputation: 2238Reputation: 2238Reputation: 2238Reputation: 2238Reputation: 2238Reputation: 2238Reputation: 2238Reputation: 2238Reputation: 2238
Quote:
Originally Posted by r3sistance View Post
The bad idea is disabling su for arbitrary reasons that don't really make sense once applied to the real-world. Both su and sudo have their place and purpose.
That's how AntiX does it. The first user has full sudo rights, but you also create a root password when you install, so that you can use su in an emergency. How else can you correct a bad sudoers file, without having to use something like System Rescue?
 
Old 02-21-2017, 03:11 AM   #25
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
Quote:
Originally Posted by chrism01 View Post
Actually, if the 1st user has full sudo (root) rights, someone only needs to find/guess one passwd for total access.
If you have a non-priv user and have an active root (no remote allowed), then they have to get 2 passwds ...
If your password is leaked/cracked that quickly, it can almost be assumed (and SHOULD be assumed) that both passwords got leaked/cracked that quickly, meaning you'll wanna reinstall the system from scratch. As you'll note, I said a remote system. Also as we are talking a remote system, you should be disabling password authentication anyways and enabling SSH keys as a very very early step, so even with Sudo, you'd need a private key and a password which is much more secure than two passwords.

Generally, I do not believe the root password should be used remotely as in some cases the root password may need to be used locally by onsite engineers to perform certain tasks (I.E. fsck on a potentially corrupted partition). Any password in common usage should be rotated out systematically, which can cause issues if the onsite engineers then don't know the root password because it got changed and the system is down after a reboot, requiring maintenance at local console.

Quote:
Originally Posted by hazel View Post
That's how AntiX does it. The first user has full sudo rights, but you also create a root password when you install, so that you can use su in an emergency. How else can you correct a bad sudoers file, without having to use something like System Rescue?
RHEL/CentOS can also be set-up like this, it gives you the configuration options during installation, iirc it has a checkbox that says "make this user an administrator", that will automatically set-up the user with full sudo rights. And I believe su is also always available by default too.

Last edited by r3sistance; 02-21-2017 at 03:14 AM.
 
Old 02-21-2017, 07:16 AM   #26
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,534

Rep: Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322Reputation: 2322
The reason I don't use sudo is because I run single-user systems I own so I have no use for it. For some tasks it makes things more difficult if sudo is used so to me it's more trouble than it's worth.
A side-effect of sudo setup in Ubtuntu, which one cannot really blame Cannonical for, is the "sudo addiction" some seem to suffer from where they seem to start any terminal command with sudo.
 
Old 02-21-2017, 07:36 AM   #27
hazel
Senior Member
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware, OpenBSD
Posts: 4,057
Blog Entries: 11

Rep: Reputation: 2238Reputation: 2238Reputation: 2238Reputation: 2238Reputation: 2238Reputation: 2238Reputation: 2238Reputation: 2238Reputation: 2238Reputation: 2238Reputation: 2238
I like sudo because it's convenient. For a sequence of root operations, I use su, but it seems like overkill to start a new session for just one command. I know you can use su -c, but then you must put your command and its arguments in quotes, which is a complication I can do without.

The first thing I do on a new system is to uncomment the permissions given to the wheel group in most standard sudoers files and then add myself to that group.
 
Old 02-21-2017, 07:49 AM   #28
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 19.1 MATE
Posts: 8,018
Blog Entries: 5

Rep: Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872
I have to say that I'm very comfortable using sudo with no separate root account enabled.

If I do have to do any prolonged root-level work then I'll just open a terminal window and/or my file manager as superuser.

I feel very much in a minority here though. ;-)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] My password won't allow superuser access Joe_R Linux - Newbie 5 07-29-2011 08:05 PM
About su superuser fw12 Linux - General 3 08-14-2007 03:23 PM
Superuser sakuya84 Linux - Security 2 07-15-2007 10:56 PM
Superuser CJ_Grobler Linux - Newbie 7 06-13-2005 10:35 PM
which file logs access to the superuser?mahalo pkrishna10 Linux - General 3 11-12-2004 09:07 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 05:04 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration