Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
|
02-19-2017, 10:39 AM
|
#16
|
Senior Member
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375
|
Systemd at least has a point, it is just that it goes much further than the point... Sudo-only is pointless and something I have had issues with in Ubuntu in the past.
|
|
|
02-19-2017, 10:47 AM
|
#17
|
LQ Addict
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,681
|
Quote:
Originally Posted by hazel
I'm sure that's new. Sudo-only is like systemd: it spreads by infection.
|
I think the sudo-only option has been around a while, a few years at least, on some installers though I don't recall whether it's the alternative install or the standard one which has it because I've used both.
|
|
|
02-19-2017, 10:39 PM
|
#18
|
LQ Guru
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.x
Posts: 18,444
|
Originally sudo was invented so that Senior sysadmins could delegate jobs to juniors/operators such as backups which normally require root access.
Sudo was always set to only allow specific reqd cmds (eg by backup tool) and nothing else.
This means that only Seniors used 'su -' and knew the root passwd.
Unfortunately (imho), Ubuntu decide that locking out root (I believe they create a random passwd at install) and auto adding 1st created user as sudo with complete total root access was a good idea ... sigh... 
Last edited by chrism01; 02-20-2017 at 03:12 AM.
|
|
|
02-20-2017, 03:02 AM
|
#19
|
Member
Registered: Aug 2008
Location: Yorkshire
Distribution: openSUSE(Leap and Tumbleweed) and a (not so) regularly changing third and fourth
Posts: 629
Rep: 
|
I'm pretty sure you can set a root password in ubuntu if you want to and then use 'su'. I've done it with a couple of ubuntu based distros I experiment with.
|
|
|
02-20-2017, 04:43 AM
|
#20
|
LQ Addict
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,681
|
Quote:
Originally Posted by petelq
I'm pretty sure you can set a root password in ubuntu if you want to and then use 'su'. I've done it with a couple of ubuntu based distros I experiment with.
|
Yes, I have done that also. Apparently one can be banned from the official Ubuntu forums for explaining how it is done?
|
|
|
02-20-2017, 05:25 AM
|
#21
|
Senior Member
Registered: Apr 2005
Posts: 2,727
|
You could write a book about correct sudo usage... in fact someone did: https://www.michaelwlucas.com/tools/sudo
Often the arguments for misuse of sudo are along the lines of "well look what cat gets used for, not what it was originally designed for, etc...". That seems like a weak argument, invoked solely to justify poor practice. One could use a similar argument to justify starting X as the root user, etc.
I find the sudo website quite informative: https://www.sudo.ws/intro.html
The advantages are obvious, but if you're the owner/user/admin of a single user desktop you probably won't need those features. If as the owner/user/admin you're set up to do everything root can do, then it becomes pretty pointless.
Quote:
Originally Posted by 273
Apparently one can be banned from the official Ubuntu forums for explaining how it is done?
|
True.
|
|
|
02-20-2017, 05:47 AM
|
#22
|
Senior Member
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375
|
Quote:
Originally Posted by chrism01
Originally sudo was invented so that Senior sysadmins could delegate jobs to juniors/operators such as backups which normally require root access.
Sudo was always set to only allow specific reqd cmds (eg by backup tool) and nothing else.
This means that only Seniors used 'su -' and knew the root passwd.
Unfortunately (imho), Ubuntu decide that locking out root (I believe they create a random passwd at install) and auto adding 1st created user as sudo with complete total root access was a good idea ... sigh... 
|
And you are saying it is not a good idea to create the 1st user with total sudo access? I'd say this is a good idea in my opinion. As if you are setting up a remote system, you won't want to connect via root over SSH and so you'd want to default to using the 1st created user. If it isn't a multi-user system with SSH then you are probably going to be using the 1st created user as your default user anyways, which you would likely require the ability to escalate privileges from.
The bad idea is disabling su for arbitrary reasons that don't really make sense once applied to the real-world. Both su and sudo have their place and purpose.
|
|
|
02-21-2017, 01:42 AM
|
#23
|
LQ Guru
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.x
Posts: 18,444
|
Actually, if the 1st user has full sudo (root) rights, someone only needs to find/guess one passwd for total access.
If you have a non-priv user and have an active root (no remote allowed), then they have to get 2 passwds ...
|
|
|
02-21-2017, 01:58 AM
|
#24
|
LQ Guru
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 8,420
|
Quote:
Originally Posted by r3sistance
The bad idea is disabling su for arbitrary reasons that don't really make sense once applied to the real-world. Both su and sudo have their place and purpose.
|
That's how AntiX does it. The first user has full sudo rights, but you also create a root password when you install, so that you can use su in an emergency. How else can you correct a bad sudoers file, without having to use something like System Rescue?
|
|
|
02-21-2017, 02:11 AM
|
#25
|
Senior Member
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375
|
Quote:
Originally Posted by chrism01
Actually, if the 1st user has full sudo (root) rights, someone only needs to find/guess one passwd for total access.
If you have a non-priv user and have an active root (no remote allowed), then they have to get 2 passwds ...
|
If your password is leaked/cracked that quickly, it can almost be assumed (and SHOULD be assumed) that both passwords got leaked/cracked that quickly, meaning you'll wanna reinstall the system from scratch. As you'll note, I said a remote system. Also as we are talking a remote system, you should be disabling password authentication anyways and enabling SSH keys as a very very early step, so even with Sudo, you'd need a private key and a password which is much more secure than two passwords.
Generally, I do not believe the root password should be used remotely as in some cases the root password may need to be used locally by onsite engineers to perform certain tasks (I.E. fsck on a potentially corrupted partition). Any password in common usage should be rotated out systematically, which can cause issues if the onsite engineers then don't know the root password because it got changed and the system is down after a reboot, requiring maintenance at local console.
Quote:
Originally Posted by hazel
That's how AntiX does it. The first user has full sudo rights, but you also create a root password when you install, so that you can use su in an emergency. How else can you correct a bad sudoers file, without having to use something like System Rescue?
|
RHEL/CentOS can also be set-up like this, it gives you the configuration options during installation, iirc it has a checkbox that says "make this user an administrator", that will automatically set-up the user with full sudo rights. And I believe su is also always available by default too.
Last edited by r3sistance; 02-21-2017 at 02:14 AM.
|
|
|
02-21-2017, 06:16 AM
|
#26
|
LQ Addict
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,681
|
The reason I don't use sudo is because I run single-user systems I own so I have no use for it. For some tasks it makes things more difficult if sudo is used so to me it's more trouble than it's worth.
A side-effect of sudo setup in Ubtuntu, which one cannot really blame Cannonical for, is the "sudo addiction" some seem to suffer from where they seem to start any terminal command with sudo.
|
|
|
02-21-2017, 06:36 AM
|
#27
|
LQ Guru
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 8,420
|
I like sudo because it's convenient. For a sequence of root operations, I use su, but it seems like overkill to start a new session for just one command. I know you can use su -c, but then you must put your command and its arguments in quotes, which is a complication I can do without.
The first thing I do on a new system is to uncomment the permissions given to the wheel group in most standard sudoers files and then add myself to that group.
|
|
|
02-21-2017, 06:49 AM
|
#28
|
LQ Guru
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 21 MATE
Posts: 8,048
|
I have to say that I'm very comfortable using sudo with no separate root account enabled.
If I do have to do any prolonged root-level work then I'll just open a terminal window and/or my file manager as superuser.
I feel very much in a minority here though. ;-)
|
|
|
All times are GMT -5. The time now is 11:29 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|