Problems of a desktop Linux distribution GUI sudo
Oleg Goldshmidt
pub at goldshmidt.org
Mon Jun 14 11:44:09 IDT 2010
2010/6/14 Elazar Leibovich <elazarl at gmail.com>:
> Alas, in the latest version of Ubuntu the sudoers file says
> %admin ALL=(ALL) ALL
> and the default user is indeed in the admin group.
> Is that really a problem (I'm probably not the only one who noticed it)?
I suppose Ubuntu assumes, probably correctly for its target audience,
that it runs on a personal machine with one user, so it is reasonable
to add the user to the admin group and generally let him/her
administer the system. Therefore, the user can basically do
everything. It is not a problem in itself, at first glance.
It would become a problem if the user would have admin privileges
without any additional effort, authentication, etc., the way it is
(was? my education stops at XP) on WIndows. Here users belonging to
the admin group will need to invoke sudo and enter a password before
doing anything nasty, so it does not look as a problem - at first
glance. If it said "NOPASSWD" it would be dangerous since a malicious
program running with the default user privileges could do nasty stuff
_quietly_ (I don't know how difficult it is to modify /var/log/secure
etc. to remove the trace of mischief, but this is for forensics only,
in any case) with sudo then.
Without "NOPASSWD" there is a line of defence that counts on the user
to stop and wonder why an innocuous program is asking him/her for
password. Since most users, unlike you, won't think twice, it might
(should? I guess it depends on the paranoia level in the blood flow)
be considered problematic.
> Is it like that in other distributions?
I am more familiar with RH who are server-oriented so they do not
assume a single user environment. By default each user is a member of
his/her private group (I actually hate that, I find "users" a good
default group), instead of "admin" group there is the more traditional
"wheel" (I understand why Ubuntu prefer "admin" for their target
audience), and the equivalent stanza for the wheel group (allowing the
members to do everything with sudo) is commented out by default in
sudoers.
--
Oleg Goldshmidt | oleg at goldshmidt.org
More information about the Linux-il
mailing list