Debian User Forums

[zoli62]

Why is it not preferable to use sudo by default in Debian?

[Dai_trying]

I can't directly answer your question but I just wanted to point out that sudo is the default if you do not enter a root password when installing.

[Bulkley]

Personally, I don't like sudo. To me, it's a cheat.

[zoli62]

I can't directly answer your question but I just wanted to point out that sudo is the default if you do not enter a root password when installing.

I think you have to enter the root password during the installation, because it can't continue.

[Soul Singin']

Are you trying to start a flame war? This board used to have heated discussions on this topic.

Using sudo to run a command as root is equivalent to logging into the root account and running that same command. Therefore, using sudo is certainly not safer than logging into the root account. In fact, one could argue that using sudo is less secure because people have a tendency to use easier passwords for their user account than they do for the root account.

So why does Ubuntu use sudo? My guess is that they are trying to make GNU/Linux easy for the new user, so they figure that it is easier to provide one username and password than it is to explain the separation of the user account from the root account.

In any case, their reasoning is so bad that I felt compelled to start a whole thread about it. See: sudo rm -rf Ubuntu.

That having been said, there are some legitimate uses for sudo. For example, you may want to give normal users the ability to shutdown or hibernate the computer. In such cases, you could add:

Code: Select all

%guest  ALL = NOPASSWD: /usr/sbin/hibernate
%guest  ALL = NOPASSWD: /sbin/shutdown

to your /etc/sudoers file. (Note: On my system, all users are in the guest group).

Alternatively, you may want to give user chris the power to run a command as user rich. For example, adding:

Code: Select all

chris    ALL = (rich) NOPASSWD: /usr/bin/whoami

to the /etc/sudoers file would enable chris to run:

Code: Select all

sudo -u rich whoami

Because chris would be using sudo to run whoami as rich, the output of the command would be: "rich."


So go ahead and use sudo. Just be sure to limit the set of commands that the normal user may execute as root. For example, you should NOT allow a normal user to run an editor like Vi or Emacs as root.

PREVENTING SHELL ESCAPES

Once sudo executes a program, that program is free to do whatever it pleases, including run other programs. This can be a security issue since it is not uncommon for a program to allow shell escapes, which lets a user bypass sudo's access control and logging. Common programs that permit shell escapes include shells (obviously), editors, paginators, mail and terminal programs.

Hope this helps,
- Soul Singin'

[Deb-fan]

Been biting my digi-tongue for this persons posts.

Gotta say, do your own homework and research dude !!! it's actually somewhat involved and I don't feel like typing a bk out so you don't have to find/read the already massive amounts of info on the topic yourself. After the kdesu thread, which again, not even touching it. You're obviously talking about using sudo to launch graphical apps-etc with privileges. Done right with the right flags/switches and some other associated junk, no problemo but again, am not attempting summarizing junk like this so you don't have to research and learn for yourself.

[cuckooflew]

Why is it not preferable to use sudo by default in Debian?

Because some users, like me , do not want to use "sudo" , those that do want to use it can install it and set it up if they so desire.

I can't directly answer your question but I just wanted to point out that sudo is the default if you do not enter a root password when installing.

I think you have to enter the root password during the installation, because it can't continue.

Your thinking is wrong, maybe you should do some research, read some of the Debian documenation, but as Dai_trying said, if you don't set a root password, you will get sudo , no matter if you want it or not.

[Deb-fan]

Jebuz if you are talking about something else. Sheesh, folks have mentioned either option is readily available. For a long time have taken to setting up a root acct, as well as having a sudo user. Esp when someone hasn't learned what they're doing, they can bork-up sudo or visudo/sudoers and find themselves at that point unable to do things on the OS which require privileges. If someone has a root acct they can log into, it just makes it a bit easier to unbork w/o resorting to chroot or whatever. Lol .. OP you really seem to be the king of one liners, shrugs and PLONK !

Tired as hades and mentally worn out. Though again ... if all someone can muster when discussing or asking about a fairly complex technical subject is one liners. They/ye forceth my hand PlOnk ... PLonk, PLONkkkkkkkkkk, PlOnK !!!!

[zoli62]

Why is it not preferable to use sudo by default in Debian?

Because some users, like me , do not want to use "sudo" , those that do want to use it can install it and set it up if they so desire.

I can't directly answer your question but I just wanted to point out that sudo is the default if you do not enter a root password when installing.

I think you have to enter the root password during the installation, because it can't continue.

Your thinking is wrong, maybe you should do some research, read some of the Debian documenation, but as Dai_trying said, if you don't set a root password, you will get sudo , no matter if you want it or not.

All right, maybe it is. Does this mean that if you set the root password during the installation, the first user created during the installation will not be part of the sudo group? You will need to add him later to this group, which requires some caution under Debian 10, as you may not be successful at first.https://linuxconfig.org/command-not-fou ... -gnu-linux https://devconnected.com/how-to-add-a-u ... 10-buster/ At least that's what I experienced.

[zoli62]

Been biting my digi-tongue for this persons posts.

Gotta say, do your own homework and research dude !!! it's actually somewhat involved and I don't feel like typing a bk out so you don't have to find/read the already massive amounts of info on the topic yourself. After the kdesu thread, which again, not even touching it. You're obviously talking about using sudo to launch graphical apps-etc with privileges. Done right with the right flags/switches and some other associated junk, no problemo but again, am not attempting summarizing junk like this so you don't have to research and learn for yourself.

This topic is not about how to run graphical applications with root privilege. Rather, although Debian is becoming more beginner friendly, after a basic installation is done normally, the user wonders why he himself cannot do a system upgrade, for example. Well, because you are not a member of the sudo group by default, like this is common in other distros. Assigning a user to this group on a terminal in Debian 10 is not that easy, as the beginner / average user may encounter some error messages during the operation.

[zoli62]

Are you trying to start a flame war? This board used to have heated discussions on this topic.

Using sudo to run a command as root is equivalent to logging into the root account and running that same command. Therefore, using sudo is certainly not safer than logging into the root account. In fact, one could argue that using sudo is less secure because people have a tendency to use easier passwords for their user account than they do for the root account.

So why does Ubuntu use sudo? My guess is that they are trying to make GNU/Linux easy for the new user, so they figure that it is easier to provide one username and password than it is to explain the separation of the user account from the root account.

In any case, their reasoning is so bad that I felt compelled to start a whole thread about it. See: sudo rm -rf Ubuntu.

That having been said, there are some legitimate uses for sudo. For example, you may want to give normal users the ability to shutdown or hibernate the computer. In such cases, you could add:

Code: Select all

%guest  ALL = NOPASSWD: /usr/sbin/hibernate
%guest  ALL = NOPASSWD: /sbin/shutdown

to your /etc/sudoers file. (Note: On my system, all users are in the guest group).

Alternatively, you may want to give user chris the power to run a command as user rich. For example, adding:

Code: Select all

chris    ALL = (rich) NOPASSWD: /usr/bin/whoami

to the /etc/sudoers file would enable chris to run:

Code: Select all

sudo -u rich whoami

Because chris would be using sudo to run whoami as rich, the output of the command would be: "rich."


So go ahead and use sudo. Just be sure to limit the set of commands that the normal user may execute as root. For example, you should NOT allow a normal user to run an editor like Vi or Emacs as root.

PREVENTING SHELL ESCAPES

Once sudo executes a program, that program is free to do whatever it pleases, including run other programs. This can be a security issue since it is not uncommon for a program to allow shell escapes, which lets a user bypass sudo's access control and logging. Common programs that permit shell escapes include shells (obviously), editors, paginators, mail and terminal programs.

Hope this helps,
- Soul Singin'

I do not want to launch flame war I just want to understand that while Debian is also moving towards becoming more beginner friendly, why not prefer sudo, as is usual in other distros. The issue is philosophical and theoretical rather than professional.

[Head_on_a_Stick]

Why is it not preferable to use sudo by default in Debian?

Debian uses sudo by default unless a root password is provided.

If it bothers you that much use this line in a preseed file:

Code: Select all

d-i passwd/root-login boolean false

^ That will stop the installer asking for a root password.

[kedaha]

It's a matter of choice; however, a lot of new Debian users coming from Ubuntu to this place don't take long to discard sudo for su -, probably because sudo is not used in most topics so they end up doing the same.
Something I've noticed is sudo often gets thrown into commands unnecessarily as in, for example
$ sudo lspci
or when simulating a command like:
$ apt install -s vrms
I can't be bothered with sudo though I occasionally use it when some tutorial includes it but I put that down to laziness.
Nothing new under the sun, as the saying goes. This is like revisiting an old forum topic from ten years ago: Do you sudo?
But hey...what goes around comes around.

[wizard10000]

IME in the enterprise sudo is the method of choice; in the last three engagements I've worked you're simply Not Going To Get The Root Password.

Said it before, but when I worked for Department of Defense root passwords were stored in a safe, changed after each use and if you couldn't explain to IT Security a) why you needed to do it, and b) why you couldn't do it with sudo you weren't getting the password.

But - on their own machine I think people should use whatever they like

[cuckooflew]

http://forums.debian.net/posting.php?mode=reply&f=20&t=144202#pr710672 ; by zoli62 » 2019-11-10 09:54 > Does this mean that if you set the root password during the installation, the first user created during the installation will not be part of the sudo group?

To be honest , since I do not usually use sudo, nor install it, I might be wrong. But yes, if I remember correctly, when I did some experimenting with that, I had set the root password as I normally do. Then later I installed sudo, and did need to also make the first user (or what ever users I wanted), after sudo is installed, the users that the admin wants to give sudo privileges must be added to the sudoers group.
You should use "visudo" to do this , there are more details about the procedure available if one looks for them. You really should just read some documentation: (a good starting point: https://wiki.debian.org/sudo)

------ if you give root an empty password during installation, sudo will be installed and the first user will be able to use it to gain root access (currently, the user will be added to the sudo group). The system will also configure gksu and aptitude to use sudo. You should still verify group membership after logging in as the installed user.

===========

zoli62>> Assigning a user to this group on a terminal in Debian 10 is not that easy, as the beginner / average user may encounter some error messages during the operation.

It is simple and easy, but if it seems to complicated to you , perhaps you should use the MX :https://mxlinux.org/ distribution. Or any of the numerous others that install and set up sudo for you. As for encountering error messages, that is no big deal , fortunately there are error messages, and they usually help point you in the right direction. (Except when Gnome is involved, they just tell you "oh NO something went wrong")