Suggestion: Sudo in standart installation

News and discussion about development of the Debian OS itself

Suggestion: Sudo in standart installation

Postby DingoBoy » 2008-11-09 11:04

Pretty simple:
Is there any specific installation that a default-configured sudo option is only avaliable in the expert install? I believe it would be a good option to include directly in the normal install, because, I hope we agree, sudo is much safer.

Is there any specific reason this has been left out? If it is a very tricky thing to do, I apologise for my ignorance.

Just curious.

Comradely, DingoBoy.
DingoBoy
 
Posts: 5
Joined: 2008-10-28 19:29

Re: Suggestion: Sudo in standart installation

Postby Telemachus » 2008-11-09 11:59

DingoBoy wrote:Pretty simple:
Is there any specific installation that a default-configured sudo option is only avaliable in the expert install? I believe it would be a good option to include directly in the normal install, because, I hope we agree, sudo is much safer.

Ah, but there's the rub. We don't agree: sudo is not much safer.

It's easy to install, if you want it. Just use your favorite package manager and install sudo. Then use the helper program visudo to set it up.
"We have not been faced with the need to satisfy someone else's requirements, and for this freedom we are grateful."
Dennis Ritchie and Ken Thompson, The UNIX Time-Sharing System
User avatar
Telemachus
 
Posts: 4677
Joined: 2006-12-25 15:53

Postby saulgoode » 2008-11-09 15:44

The "default configuration" of SUDO is to behave as though SUDO was not installed (i.e., no privileges granted except to root). I don't see any real problem were SUDO to be automatically installed using this configuration, but I also don't see much point.
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -- Brian Kernighan
User avatar
saulgoode
 
Posts: 1545
Joined: 2007-10-22 11:34

Postby BioTube » 2008-11-09 15:54

I don't see how sudo is much safer if abused to be an alternative to su. It is meant to allow people who need to do certain things root privileges FOR THOSE THINGS ONLY(hence why the root password isn't asked for). For example, I have a script that takes down a network interface and brings it back up; I use sudo(and a wrapper script) to allow the other users of this machine to use it without problem(note that sudo's configured to only let them run the script, not ifupdown). Using sudo to replace su is just asking to get your system shot to hell since malware just has to put itself in a loop, periodically trying sudo until you do something requiring admin rights and therefore allowing the malware the ability to cripple your system without so much as your password. You can configure sudo to always require a password, but then it's little different than su -c 'command'.
Image
Ludwig von Mises wrote:The elite should be supreme by virtue of persuasion, not by the assistance of firing squads.
User avatar
BioTube
 
Posts: 7551
Joined: 2007-06-01 04:34

Postby didi » 2008-11-09 17:42

I think it would be a very bad idea.

Sudo is meant to be used in a specific way, like BioTube described, to grant normal users privileges to a command which normally requires root access.
It is not meant as a replacement for the root account, even though Ubuntu makes you think otherwise. The Ubuntu way is WRONG as it makes it's users forget the importance of security, since most of it's users grant all root privileges to all users.
Linux is so secure because when you are going to make system-wide changes you need root access, which is a good reminder that you're going to do sth significant to your system and you should be careful what you're doing.
Ubuntu's use of sudo pretty much negates that, by not 'bothering' you with such issues as security :roll:

Sudo is a very powerfull and useful tool and they even recommend it's use in Linux Administration Handbook (2nd edition), but only in the way it was meant to be used:
sudo description wrote:Provide limited super user privileges to specific users
Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. The basic philosophy is
to give as few privileges as possible but still allow people to get their work done.

Ppl who realize that will know that all they have to do is
Code: Select all
aptitude install sudo
to get what they want.
Including it in the default install encourages the wrong way to use sudo, so that's why I think it's a bad idea.
Testing (server) + Unstable (workstation) 32-bit on AMD Athlon64 X2
didi
 
Posts: 909
Joined: 2007-12-04 16:26
Location: the Netherlands

Re: Suggestion: Sudo in standart installation

Postby infinitycircuit » 2008-11-09 18:47

DingoBoy wrote:Pretty simple:
Is there any specific installation that a default-configured sudo option is only avaliable in the expert install? I believe it would be a good option to include directly in the normal install, because, I hope we agree, sudo is much safer.

Is there any specific reason this has been left out? If it is a very tricky thing to do, I apologise for my ignorance.

Just curious.

Comradely, DingoBoy.


A default-configured sudo in the expert install comes at the expense of not configuring the root account. This is unacceptable.
I am currently a Debian Maintainer. I am also in the New Maintainers' Queue.
infinitycircuit
 
Posts: 1137
Joined: 2007-07-24 03:31
Location: California

Postby BioTube » 2008-11-09 19:05

I've always found sudo to be installed by default, just configured for root alone. The fact that debian-installer will disable the root account should be corrected forthwith.
Image
Ludwig von Mises wrote:The elite should be supreme by virtue of persuasion, not by the assistance of firing squads.
User avatar
BioTube
 
Posts: 7551
Joined: 2007-06-01 04:34

Postby infinitycircuit » 2008-11-09 19:18

Sudo is neither priority required not important. It is brought in by the Desktop task as a dependency of gksu.
I am currently a Debian Maintainer. I am also in the New Maintainers' Queue.
infinitycircuit
 
Posts: 1137
Joined: 2007-07-24 03:31
Location: California

Postby BioTube » 2008-11-09 20:49

Ahhh... I get it now - I install gparted as a matter of course(wasn't there a qtparted? I remember running into some monstrosity by that name) and it pulls in sudo.
Image
Ludwig von Mises wrote:The elite should be supreme by virtue of persuasion, not by the assistance of firing squads.
User avatar
BioTube
 
Posts: 7551
Joined: 2007-06-01 04:34

Postby Jackiebrown » 2008-11-09 21:47

I use it the way BioTube does - for very specific apps.

The difference is, no one else uses my machine so its mainly one or two apps that I use multiple times a day or for a script.

I think the only one set right now is make (which is probably one of the more dangerous ones to set, but since I compile KDE daily, I was willing to sacrifice risk it versus going into my bash history and deleting it every time I type the password to quick after typing su.
User avatar
Jackiebrown
 
Posts: 1276
Joined: 2007-01-02 04:46
Location: San Antonio, TX

Postby infinitycircuit » 2008-11-10 00:05

I only use sudo for cowbuilder so that git-buildpackage can be run without babysitting. The difference between typing su root -c and sudo is infinitesimal anyway.
I am currently a Debian Maintainer. I am also in the New Maintainers' Queue.
infinitycircuit
 
Posts: 1137
Joined: 2007-07-24 03:31
Location: California

Postby didi » 2008-11-10 09:16

http://www.debian.org/devel/debian-desktop/ wrote:We will try to ensure that software is configured for the most common desktop use. For instance, the regular user account added by default during installation should have permission to play audio and video, print, and manage the system through sudo.

Looks kind of official and kind of scary ...
Testing (server) + Unstable (workstation) 32-bit on AMD Athlon64 X2
didi
 
Posts: 909
Joined: 2007-12-04 16:26
Location: the Netherlands

Postby Jackiebrown » 2008-11-11 00:30

That page was for when sarge was the testing branch.
User avatar
Jackiebrown
 
Posts: 1276
Joined: 2007-01-02 04:46
Location: San Antonio, TX

Postby mzilikazi » 2008-11-11 03:18

Personally I won't use sudo at all. I just don't see any point not to mention the complete and total lack of securty it creates. I've never booted Ubuntu. What happens if you do this?
Code: Select all
sudo rm -rf /some/dir

(Don't try this at home boys & girls)
Would it nuke your entire dir?
Debian Sid Laptops:
AMD Athlon(tm) 64 X2 Dual-Core Processor TK-55 / 1.5G
Intel(R) Pentium(R) Dual CPU T2390 @ 1.86GHz / 3G
User avatar
mzilikazi
Forum Ninja
 
Posts: 3321
Joined: 2004-09-16 02:14
Location: Colorado Springs, CO

Postby BioTube » 2008-11-11 03:32

If you're stupid enough to abuse it Ubuntu-style. An intelligent admin would never give a user 'sudo' rights to rm.
Image
Ludwig von Mises wrote:The elite should be supreme by virtue of persuasion, not by the assistance of firing squads.
User avatar
BioTube
 
Posts: 7551
Joined: 2007-06-01 04:34

Next

Return to Debian Development

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable