In message <1222689591.2729.2@proxy02.news.clara.net>, The Natural
Philosopher writes


>Can anyone explain to me why a SUDOO password is in any way safer than
>having a root password with a separate password?
>
>Is this something to do with having a GUI admin approach?
>
If you have a separate root account it's possible to stay logged in as
root even when doing work that doesn't require root privileges.

Of course that's still possible using sudo if you use the -i switch. I
think the main reason for adopting it was ease of use for single-user
systems.


--
Bernard Peek
London, UK. DBA, Manager, Trainer & Author.

Michael Black wrote:
> On Mon, 29 Sep 2008, The Natural Philosopher wrote:
>
>> Chris Davies wrote:
>>> Ron House wrote:
>>>> I didn't mean sudo the program is a disaster, I meant ?buntu's
>>>> arrangement of forcing _only_ sudo. [...] when I set up Ubuntu on a
>>>> friend's laptop, it forgot to put the first user into the sudo list,
>>>> locked out genuine root logins, and left the system with no viable
>>>> way to get any admin work done.
>>>
>>> Ah, yes, I see what you mean. Not being an *buntu user I knew of the "no
>>> root user" approach but hadn't twigged about how one would deal with
>>> that.
>>>
>>>
>>>> And the idea that every sudo-user's password is in effect a root
>>>> password, well, 'nuff said!
>>>
>>> Agreed, but that's a knock-on effect of sudo on any system, not just
>>> *buntu. I guess that's a requirement of the "single user, single
>>> administrator" approach that's necessary for the SOHO environment.
>>>
>>> Thanks,
>>> Chris
>> Can anyone explain to me why a SUDOO password is in any way safer than
>> having a root password with a separate password?
>>
>> Is this something to do with having a GUI admin approach?
>>
>>
> When this has come up before, one reason (and I'm not sure it's the only
> one), is that if you simply log in as root, there's no record of
> who you are. But if you move from another account to root via sudo,
> it gets logged. So you can see if you were the one who became root,
> or someone who shouldn't.
>

That's fair enough, but doesn't make sense in a single user environment.


> Michael
>

Chris writes:
> Agreed, but that's a knock-on effect of sudo on any system, not just
> *buntu.

It is possible to configure sudo to restrict each user to a different,
limited set of commands.

> I guess that's a requirement of the "single user, single administrator"
> approach that's necessary for the SOHO environment.

Only the first account created is automatically given sudo privileges. In
a locked-down environment where the user is not to have any root privileges
you could first create an "administrator" account for which the users would
not be given the password and then create one or more user accounts.

Ubuntu is aimed at single home users who will be doing the installation
themselves. The purpose of the sudo setup is to prevent the user from
continuing his established Windows behavior and logging in as root all the
time. An experienced Linux administrator wiil of course know how to easily
set a root password if she wants one.
--
John Hasler
john@dhh.gt.org
Dancing Horse Hill
Elmwood, WI USA

The Natural Philosopher writes:
> That's fair enough, but doesn't make sense in a single user environment.

The new user just upgrading from Windows doesn't know how to log in as root
using sudo: he only knows how to use it to run single commands. Hopefully
by the time he learns more he will know better than do misuse root.
--
John Hasler
john@dhh.gt.org
Dancing Horse Hill
Elmwood, WI USA

Michael Black wrote:
> On Mon, 29 Sep 2008, The Natural Philosopher wrote:
>
>> Chris Davies wrote:
>>> Ron House wrote:
>>>> I didn't mean sudo the program is a disaster, I meant ?buntu's
>>>> arrangement of forcing _only_ sudo. [...] when I set up Ubuntu on a
>>>> friend's laptop, it forgot to put the first user into the sudo list,
>>>> locked out genuine root logins, and left the system with no viable
>>>> way to get any admin work done.
>>>
>>> Ah, yes, I see what you mean. Not being an *buntu user I knew of the "no
>>> root user" approach but hadn't twigged about how one would deal with
>>> that.
>>>
>>>
>>>> And the idea that every sudo-user's password is in effect a root
>>>> password, well, 'nuff said!
>>>
>>> Agreed, but that's a knock-on effect of sudo on any system, not just
>>> *buntu. I guess that's a requirement of the "single user, single
>>> administrator" approach that's necessary for the SOHO environment.
>>>
>>> Thanks,
>>> Chris
>> Can anyone explain to me why a SUDOO password is in any way safer than
>> having a root password with a separate password?
>>
>> Is this something to do with having a GUI admin approach?
>>
>>
> When this has come up before, one reason (and I'm not sure it's the only
> one), is that if you simply log in as root, there's no record of
> who you are. But if you move from another account to root via sudo,
> it gets logged. So you can see if you were the one who became root,
> or someone who shouldn't.
>
> Michael
>

Sudo can also allow non-root users to run *specific* commands, and to manage
it by usergroups, with or without requiring the user password. It's really
quite a powerful toolkit: read the manual pages for more details of aspects
that are simply unavailable to a bare 'su'.

Sudo also handles user environments, such as PATH, better.

The Natural Philosopher wrote:
> Can anyone explain to me why a SUDOO password is in any way safer than
> having a root password with a separate password?

You can use the sudoers file to assign different bits of the overarching
root privilege to different groups of users, without any of them needing
to know the root password.

Further, sudo provides a simple audit trail so with care it's possible
to track who has done what. If you allow multiple people the option of
logging in as root you can't identify who the root user really is/was
at any moment.


> Is this something to do with having a GUI admin approach?

No.

Chris

"Ralink RT73 chipset"

OK, but the problem is, one USB stick I have already tried is Ralink RT73
based - and didn't work under PCLOS2007 / Ubuntu (or several others whose
names escape me again). Still, I can try the actual Dlink version.

Thanks for the updates.

DDS

On Tue, 30 Sep 2008 22:10:21 +0100, Duncan Di Saudelli wrote:

> "Ralink RT73 chipset"
>
> OK, but the problem is, one USB stick I have already tried is Ralink
> RT73 based - and didn't work under PCLOS2007 / Ubuntu (or several others
> whose names escape me again). Still, I can try the actual Dlink version.

The rt73 was not working in most older distros. PCLOS 2007 is waaaay to
old (and a dead disto to boot).

That same rt73 is working under Ubuntu 8.04, also Slackware 12.1 and
Debian Lenny or Sid once the non-free firmware is downloaded.

Chris Davies wrote:

> Ron House wrote:
>> And the idea that every sudo-user's password is in effect a root
>> password, well, 'nuff said!
>
> Agreed, but that's a knock-on effect of sudo on any system, not just
> *buntu.

You can configure sudo to require the root password instead of the
user's password if you want that.



Florian
--

-----------------------------------------------------------------------
** Hi! I'm a signature virus! Copy me into your signature, please! **
-----------------------------------------------------------------------

Ron House writes:

> I didn't mean sudo the program is a disaster, I meant ?buntu's
> arrangement of forcing _only_ sudo. I use sudo on debian too, on
> occasion. But when I set up Ubuntu on a friend's laptop, it forgot to
> put the first user into the sudo list, locked out genuine root logins,
> and left the system with no viable way to get any admin work
> done. (That was after it refused to use a perfectly good partition for
> / until it had been deleted and Ubuntu was allowed to make it for
> itself.) And the idea that every sudo-user's password is in effect a
> root password, well, 'nuff said!

Plus also now any place one asks for help they automatically assume
you're on Ubuntu and tell you do so stuff like 'sudo modprobe blah'.

SUdon't need to 'sudo' everything...
don'tSU dare be a 'sudo' abuser!
SUdidn't install Ubuntu?!

sudoobie - new Ubuntu user

--
Protect? [** America, The Police State **] Serve?
http://www.hermes-press.com/police_state.htm
http://www.homelandstupidity.us/2008...ir-passengers/
Guns For TX Teachers: http://news.bbc.co.uk/1/hi/world/americas/7564654.stm

In article <9YGdnVGEo9lc1kDVnZ2dnUVZ8v3inZ2d@pipex.net>,
Sheridan Hutchinson wrote:

> This really isn't my domain of specificity and would recommend that you
> buy only wifi cards or wifi dongles that use one of the atheros
> chipsets. Recent kernels include the high quality ath5k driver which
> I've seen to work out of the box in the testing release of Debian and
> presumably this is the case of any other recent distro release. Debian
> will even recognise it during the setup and get it up and running
> immediately.

Bear in mind that the mac80211 code in kernels older than 2.6.26 is a
bit dodgy and will not give good results in less than perfect signal
conditions. (Its error counting code is buggy, so its rate control
algorithm tends to crank down the connection speed to 1Mbps on the
slightest interference.) This affects the ath5k and rt2xxx drivers
equally. 2.6.26 and later are fine.

--
Paul Martin