Membership in sudo group

kikinovak · 10-16-2014, 02:30 AM

Hi,

I practically never use the sudo command on a Linux system. Either I work as a normal user. Or I switch to the root account using 'su -' for administrative tasks. In the rare case I have to work on a Ubuntu server, first thing I do is activate the root account.

On a Slackware system, what's the difference between being a member of the sudo group and not being a member? I just experimented a bit, and in either case, a normal user can become root using 'su -'.

Cheers,

Niki

kikinovak · 10-16-2014, 02:48 AM

Thinking of it. When a user is created, adduser suggests to add the user to a collection of additional groups:

Code:

Press ENTER to continue without adding any additional groups 
Or press the UP arrow key to add/select/edit additional groups 
:  audio cdrom floppy plugdev video power netdev lp scanner

I'm familiar with the effect of some of these. For example, a user who is not member of the plugdev group can't mount a USB stick or an external hard disk. If someone knows the exact effect of (non-)membership in these groups, I'd be grateful for the information, because I can't seem to find it.

tronayne · 10-16-2014, 05:38 AM

Like you (and I suspect a whole lot of other folk) I don't use sudo in favor of su -. I believe, however, that sudo lets you tailor what users can do without access to the root password; you can limit a user to necessary (maybe) tasks without giving away the keys to the kingdom. It's a question of granting permissions to extremely limited activities rather than being able to edit system files and the like, eh?

Hope this helps some.

Alien Bob · 10-16-2014, 05:53 AM

Here at work, sudo is used extensively to give people a limited level of administrative access to servers, without the need for divulging the root password.
At home, I use sudo, so that only people in the "wheel" group can use sudo to become root at all (using "sudo -i"). Also, sudo configuration allows me to let mailman create mail aliases on the fly if new a list is being created.

I also limit the use of "su" through definitions in the file "/etc/suauth" (read "man suauth").

Eric

chrisretusn · 10-16-2014, 06:08 AM

I also use the wheel group to help control who has access to sudo and su as well. Normal users cannot use sudo or su at all unless I make the appropriate entries in sudoers and suauth. or add them to wheel.

GazL · 10-16-2014, 06:36 AM

Quote:

Originally Posted by kikinovak

On a Slackware system, what's the difference between being a member of the sudo group and not being a member?

Nothing. Unlike Ubuntu, Slackware is sensible enough not to have a 'sudo' group.

There is a commented-out example rule in the /etc/sudoers file:

Code:

## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL) ALL

... basically meaning: anyone in group 'sudo' can do anything, as anyone, anywhere.

IMO, it should stay commented out!

"someone All=(ALL) ALL" and 'sudo -i', really aren't best-practice use of sudo. Canonical really haven't done sudo's reputation much good by misusing it the way they have. And they've done a lot of novice users a disservice by teaching them bad habits.