Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Sudo or not sudo?

Here you can discuss every aspect of Debian. Note: not for support requests!
Message
Author
zoli62
Posts: 20
Joined: 2019-11-09 04:09

Sudo or not sudo?

#1 Post by zoli62 »

Why is it not preferable to use sudo by default in Debian?

Dai_trying
Posts: 1100
Joined: 2016-01-07 12:25
Has thanked: 5 times
Been thanked: 16 times

Re: Sudo or not sudo?

#2 Post by Dai_trying »

I can't directly answer your question but I just wanted to point out that sudo is the default if you do not enter a root password when installing.

Bulkley
Posts: 6382
Joined: 2006-02-11 18:35
Has thanked: 2 times
Been thanked: 39 times

Re: Sudo or not sudo?

#3 Post by Bulkley »

Personally, I don't like sudo. To me, it's a cheat.

zoli62
Posts: 20
Joined: 2019-11-09 04:09

Re: Sudo or not sudo?

#4 Post by zoli62 »

Dai_trying wrote:I can't directly answer your question but I just wanted to point out that sudo is the default if you do not enter a root password when installing.
I think you have to enter the root password during the installation, because it can't continue.

User avatar
Soul Singin'
Posts: 1605
Joined: 2008-12-21 07:02

Re: Sudo or not sudo?

#5 Post by Soul Singin' »

Are you trying to start a flame war? This board used to have heated discussions on this topic.
Soul Singin' wrote:Using sudo to run a command as root is equivalent to logging into the root account and running that same command. Therefore, using sudo is certainly not safer than logging into the root account. In fact, one could argue that using sudo is less secure because people have a tendency to use easier passwords for their user account than they do for the root account.

So why does Ubuntu use sudo? My guess is that they are trying to make GNU/Linux easy for the new user, so they figure that it is easier to provide one username and password than it is to explain the separation of the user account from the root account.

In any case, their reasoning is so bad that I felt compelled to start a whole thread about it. See: sudo rm -rf Ubuntu.

That having been said, there are some legitimate uses for sudo. For example, you may want to give normal users the ability to shutdown or hibernate the computer. In such cases, you could add:

Code: Select all

%guest  ALL = NOPASSWD: /usr/sbin/hibernate
%guest  ALL = NOPASSWD: /sbin/shutdown
to your /etc/sudoers file. (Note: On my system, all users are in the guest group).

Alternatively, you may want to give user chris the power to run a command as user rich. For example, adding:

Code: Select all

chris    ALL = (rich) NOPASSWD: /usr/bin/whoami
to the /etc/sudoers file would enable chris to run:

Code: Select all

sudo -u rich whoami
Because chris would be using sudo to run whoami as rich, the output of the command would be: "rich."


So go ahead and use sudo. Just be sure to limit the set of commands that the normal user may execute as root. For example, you should NOT allow a normal user to run an editor like Vi or Emacs as root.
man sudoers wrote:PREVENTING SHELL ESCAPES

Once sudo executes a program, that program is free to do whatever it pleases, including run other programs. This can be a security issue since it is not uncommon for a program to allow shell escapes, which lets a user bypass sudo's access control and logging. Common programs that permit shell escapes include shells (obviously), editors, paginators, mail and terminal programs.
Hope this helps,
- Soul Singin'

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: Sudo or not sudo?

#6 Post by Deb-fan »

Been biting my digi-tongue for this persons posts. :P

Gotta say, do your own homework and research dude !!! it's actually somewhat involved and I don't feel like typing a bk out so you don't have to find/read the already massive amounts of info on the topic yourself. After the kdesu thread, which again, not even touching it. You're obviously talking about using sudo to launch graphical apps-etc with privileges. Done right with the right flags/switches and some other associated junk, no problemo but again, am not attempting summarizing junk like this so you don't have to research and learn for yourself. :D
Most powerful FREE tech-support tool on the planet * HERE. *

cuckooflew
Posts: 677
Joined: 2018-05-10 19:34
Location: Some where out west
Been thanked: 1 time

Re: Sudo or not sudo?

#7 Post by cuckooflew »

zoli62 wrote:Why is it not preferable to use sudo by default in Debian?
Because some users, like me , do not want to use "sudo" , those that do want to use it can install it and set it up if they so desire.
zoli62 wrote:
Dai_trying wrote:I can't directly answer your question but I just wanted to point out that sudo is the default if you do not enter a root password when installing.
I think you have to enter the root password during the installation, because it can't continue.
Your thinking is wrong, maybe you should do some research, read some of the Debian documenation, but as Dai_trying said, if you don't set a root password, you will get sudo , no matter if you want it or not.
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: Sudo or not sudo?

#8 Post by Deb-fan »

Jebuz if you are talking about something else. Sheesh, folks have mentioned either option is readily available. For a long time have taken to setting up a root acct, as well as having a sudo user. Esp when someone hasn't learned what they're doing, they can bork-up sudo or visudo/sudoers and find themselves at that point unable to do things on the OS which require privileges. If someone has a root acct they can log into, it just makes it a bit easier to unbork w/o resorting to chroot or whatever. Lol .. OP you really seem to be the king of one liners, shrugs and PLONK ! :D
Tired as hades and mentally worn out. Though again ... if all someone can muster when discussing or asking about a fairly complex technical subject is one liners. They/ye forceth my hand PlOnk ... PLonk, PLONkkkkkkkkkk, PlOnK !!!!
Most powerful FREE tech-support tool on the planet * HERE. *

zoli62
Posts: 20
Joined: 2019-11-09 04:09

Re: Sudo or not sudo?

#9 Post by zoli62 »

cuckooflew wrote:
zoli62 wrote:Why is it not preferable to use sudo by default in Debian?
Because some users, like me , do not want to use "sudo" , those that do want to use it can install it and set it up if they so desire.
zoli62 wrote:
Dai_trying wrote:I can't directly answer your question but I just wanted to point out that sudo is the default if you do not enter a root password when installing.
I think you have to enter the root password during the installation, because it can't continue.
Your thinking is wrong, maybe you should do some research, read some of the Debian documenation, but as Dai_trying said, if you don't set a root password, you will get sudo , no matter if you want it or not.
All right, maybe it is. Does this mean that if you set the root password during the installation, the first user created during the installation will not be part of the sudo group? You will need to add him later to this group, which requires some caution under Debian 10, as you may not be successful at first.https://linuxconfig.org/command-not-fou ... -gnu-linux https://devconnected.com/how-to-add-a-u ... 10-buster/ At least that's what I experienced.

zoli62
Posts: 20
Joined: 2019-11-09 04:09

Re: Sudo or not sudo?

#10 Post by zoli62 »

Deb-fan wrote:Been biting my digi-tongue for this persons posts. :P

Gotta say, do your own homework and research dude !!! it's actually somewhat involved and I don't feel like typing a bk out so you don't have to find/read the already massive amounts of info on the topic yourself. After the kdesu thread, which again, not even touching it. You're obviously talking about using sudo to launch graphical apps-etc with privileges. Done right with the right flags/switches and some other associated junk, no problemo but again, am not attempting summarizing junk like this so you don't have to research and learn for yourself. :D

This topic is not about how to run graphical applications with root privilege. Rather, although Debian is becoming more beginner friendly, after a basic installation is done normally, the user wonders why he himself cannot do a system upgrade, for example. Well, because you are not a member of the sudo group by default, like this is common in other distros. Assigning a user to this group on a terminal in Debian 10 is not that easy, as the beginner / average user may encounter some error messages during the operation.

zoli62
Posts: 20
Joined: 2019-11-09 04:09

Re: Sudo or not sudo?

#11 Post by zoli62 »

Soul Singin' wrote:Are you trying to start a flame war? This board used to have heated discussions on this topic.
Soul Singin' wrote:Using sudo to run a command as root is equivalent to logging into the root account and running that same command. Therefore, using sudo is certainly not safer than logging into the root account. In fact, one could argue that using sudo is less secure because people have a tendency to use easier passwords for their user account than they do for the root account.

So why does Ubuntu use sudo? My guess is that they are trying to make GNU/Linux easy for the new user, so they figure that it is easier to provide one username and password than it is to explain the separation of the user account from the root account.

In any case, their reasoning is so bad that I felt compelled to start a whole thread about it. See: sudo rm -rf Ubuntu.

That having been said, there are some legitimate uses for sudo. For example, you may want to give normal users the ability to shutdown or hibernate the computer. In such cases, you could add:

Code: Select all

%guest  ALL = NOPASSWD: /usr/sbin/hibernate
%guest  ALL = NOPASSWD: /sbin/shutdown
to your /etc/sudoers file. (Note: On my system, all users are in the guest group).

Alternatively, you may want to give user chris the power to run a command as user rich. For example, adding:

Code: Select all

chris    ALL = (rich) NOPASSWD: /usr/bin/whoami
to the /etc/sudoers file would enable chris to run:

Code: Select all

sudo -u rich whoami
Because chris would be using sudo to run whoami as rich, the output of the command would be: "rich."


So go ahead and use sudo. Just be sure to limit the set of commands that the normal user may execute as root. For example, you should NOT allow a normal user to run an editor like Vi or Emacs as root.
man sudoers wrote:PREVENTING SHELL ESCAPES

Once sudo executes a program, that program is free to do whatever it pleases, including run other programs. This can be a security issue since it is not uncommon for a program to allow shell escapes, which lets a user bypass sudo's access control and logging. Common programs that permit shell escapes include shells (obviously), editors, paginators, mail and terminal programs.
Hope this helps,
- Soul Singin'
I do not want to launch flame war I just want to understand that while Debian is also moving towards becoming more beginner friendly, why not prefer sudo, as is usual in other distros. The issue is philosophical and theoretical rather than professional.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Sudo or not sudo?

#12 Post by Head_on_a_Stick »

zoli62 wrote:Why is it not preferable to use sudo by default in Debian?
Debian uses sudo by default unless a root password is provided.

If it bothers you that much use this line in a preseed file:

Code: Select all

d-i passwd/root-login boolean false
^ That will stop the installer asking for a root password.
deadbang

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Sudo or not sudo?

#13 Post by kedaha »

It's a matter of choice; however, a lot of new Debian users coming from Ubuntu to this place don't take long to discard sudo for su -, probably because sudo is not used in most topics so they end up doing the same.
Something I've noticed is sudo often gets thrown into commands unnecessarily as in, for example
$ sudo lspci
or when simulating a command like:
$ apt install -s vrms
I can't be bothered with sudo though I occasionally use it when some tutorial includes it but I put that down to laziness.
Nothing new under the sun, as the saying goes. This is like revisiting an old forum topic from ten years ago: Do you sudo?
But hey...what goes around comes around. :wink:
Last edited by kedaha on 2019-11-10 12:08, edited 1 time in total.
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

User avatar
wizard10000
Global Moderator
Global Moderator
Posts: 551
Joined: 2019-04-16 23:15
Location: southeastern us
Has thanked: 75 times
Been thanked: 85 times

Re: Sudo or not sudo?

#14 Post by wizard10000 »

IME in the enterprise sudo is the method of choice; in the last three engagements I've worked you're simply Not Going To Get The Root Password.

Said it before, but when I worked for Department of Defense root passwords were stored in a safe, changed after each use and if you couldn't explain to IT Security a) why you needed to do it, and b) why you couldn't do it with sudo you weren't getting the password.

But - on their own machine I think people should use whatever they like :mrgreen:
we see things not as they are, but as we are.
-- anais nin

cuckooflew
Posts: 677
Joined: 2018-05-10 19:34
Location: Some where out west
Been thanked: 1 time

Re: Sudo or not sudo?

#15 Post by cuckooflew »

http://forums.debian.net/posting.php?mo ... 2#pr710672 ; by zoli62 » 2019-11-10 09:54 > Does this mean that if you set the root password during the installation, the first user created during the installation will not be part of the sudo group?
To be honest , since I do not usually use sudo, nor install it, I might be wrong. But yes, if I remember correctly, when I did some experimenting with that, I had set the root password as I normally do. Then later I installed sudo, and did need to also make the first user (or what ever users I wanted), after sudo is installed, the users that the admin wants to give sudo privileges must be added to the sudoers group.
You should use "visudo" to do this , there are more details about the procedure available if one looks for them. You really should just read some documentation: (a good starting point: https://wiki.debian.org/sudo)
------ if you give root an empty password during installation, sudo will be installed and the first user will be able to use it to gain root access (currently, the user will be added to the sudo group). The system will also configure gksu and aptitude to use sudo. You should still verify group membership after logging in as the installed user.
===========
zoli62>> Assigning a user to this group on a terminal in Debian 10 is not that easy, as the beginner / average user may encounter some error messages during the operation.
It is simple and easy, but if it seems to complicated to you , perhaps you should use the MX :https://mxlinux.org/ distribution. Or any of the numerous others that install and set up sudo for you. As for encountering error messages, that is no big deal , fortunately there are error messages, and they usually help point you in the right direction. (Except when Gnome is involved, they just tell you "oh NO something went wrong")
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!

trinidad
Posts: 289
Joined: 2016-08-04 14:58
Been thanked: 13 times

Re: Sudo or not sudo?

#16 Post by trinidad »

IME in the enterprise sudo is the method of choice; in the last three engagements I've worked you're simply Not Going To Get The Root Password
Yes but there is another layer of security on the system, which is common on large systems, but still problematic. Large systems with multiple sudoers can certainly be a security risk. Administrators are moveing away from the practice, and/or adding a security layer, and/or technically limiting sudoer privileges per application across large networks, and/or running many non-risk administration tasks in user space instead, the security layer being vetted administrators.

TC
You can't believe your eyes if your imagination is out of focus.

zoli62
Posts: 20
Joined: 2019-11-09 04:09

Re: Sudo or not sudo?

#17 Post by zoli62 »

cuckooflew wrote:
http://forums.debian.net/posting.php?mo ... 2#pr710672 ; by zoli62 » 2019-11-10 09:54 > Does this mean that if you set the root password during the installation, the first user created during the installation will not be part of the sudo group?
To be honest , since I do not usually use sudo, nor install it, I might be wrong. But yes, if I remember correctly, when I did some experimenting with that, I had set the root password as I normally do. Then later I installed sudo, and did need to also make the first user (or what ever users I wanted), after sudo is installed, the users that the admin wants to give sudo privileges must be added to the sudoers group.
You should use "visudo" to do this , there are more details about the procedure available if one looks for them. You really should just read some documentation: (a good starting point: https://wiki.debian.org/sudo)
------ if you give root an empty password during installation, sudo will be installed and the first user will be able to use it to gain root access (currently, the user will be added to the sudo group). The system will also configure gksu and aptitude to use sudo. You should still verify group membership after logging in as the installed user.
===========
zoli62>> Assigning a user to this group on a terminal in Debian 10 is not that easy, as the beginner / average user may encounter some error messages during the operation.
It is simple and easy, but if it seems to complicated to you , perhaps you should use the MX :https://mxlinux.org/ distribution. Or any of the numerous others that install and set up sudo for you. As for encountering error messages, that is no big deal , fortunately there are error messages, and they usually help point you in the right direction. (Except when Gnome is involved, they just tell you "oh NO something went wrong")
I started using Debian when sudo didn't even exist. When sudo started, I already found the attitude of Ubuntu strange, because it reminded me of Windows, where UAC is used. I think using sudo gives the average user a false sense of security. In my opinion, we should be operating on an operating system either as an administrator or as a normal user. If we choose the former, we must be aware of all the risks involved. The problem is that in many cases, operating systems can only run useful system-level commands as an administrator. However, this is difficult for a beginner to understand, so he asks a more knowledgeable person to configure his own computer, so he won't learn to use GNU / Linux.

User avatar
wizard10000
Global Moderator
Global Moderator
Posts: 551
Joined: 2019-04-16 23:15
Location: southeastern us
Has thanked: 75 times
Been thanked: 85 times

Re: Sudo or not sudo?

#18 Post by wizard10000 »

trinidad wrote:Yes but there is another layer of security on the system, which is common on large systems, but still problematic. Large systems with multiple sudoers can certainly be a security risk. Administrators are moveing away from the practice, and/or adding a security layer, and/or technically limiting sudoer privileges per application across large networks, and/or running many non-risk administration tasks in user space instead, the security layer being vetted administrators.
True. IMO the whole purpose of sudo isn't to act as a replacement for the root account, but to provide limited access where required.
we see things not as they are, but as we are.
-- anais nin

pendrachken
Posts: 1394
Joined: 2007-03-04 21:10
Location: U.S.A. - WI.

Re: Sudo or not sudo?

#19 Post by pendrachken »

cuckooflew wrote:
zoli62 wrote:Why is it not preferable to use sudo by default in Debian?
Because some users, like me , do not want to use "sudo" , those that do want to use it can install it and set it up if they so desire.
Just playing devils advocate here:

What makes YOUR use case more important than the person who wants to use sudo? It's easier to re-enable the root account than it is for a user to properly set up sudo. All you have to do is:

Code: Select all

$: sudo su -
#: passwd
Input a password 2X when prompted and done
fortune -o
Your love life will be... interesting.
:twisted: How did it know?

The U.S. uses the metric system too, we have tenths, hundredths and thousandths of inches :-P

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: Sudo or not sudo?

#20 Post by Deb-fan »

Of course + 1 Wiz10k and somewhat the other guy. As realistically on a multiuser system what semi-competent admin is going to give out sudo access to very many people anyway. Certainly not jane/joe avg user. Of course think sudo is cool though. Actually going to have to research it's history now, believe it originated with Canonical Inc/Ubuntu or thereabouts. Now there are these flatpak, snaps etc things for users who wish to install whatever (is allowed) and only affects their user acct. Like many am resistant to it, like the trusted and managed repositories setup as it is, don't so much like these new deal thingys but do see some potential. Also occurred to me I've been doing much the same thing forever in gnu/Nix, Firefox from Mozilla, not installed nor managed by the OS's packaging tools. Have also used stand-alone or portable apps forever and a day as well. On whichever OS and/or on a thumb-drive, shrugs.

In my view the whole root or sudo, one or other is kind of tarded. Mentioned I have/use both cause that's my preference but enabling/disabling (locking root acct) is a matter of secs or adding user with visudo/sudoers ... same. Each their own preference. One a MANY great things about gnu/Linux and Debian. You want it ? You can very likely have it really quickly. GOOGLE ! :D
Most powerful FREE tech-support tool on the planet * HERE. *

Post Reply