2010/6/14 Elazar Leibovich <elaz...@gmail.com>: > Alas, in the latest version of Ubuntu the sudoers file says > %admin ALL=(ALL) ALL > and the default user is indeed in the admin group. > Is that really a problem (I'm probably not the only one who noticed it)?
I suppose Ubuntu assumes, probably correctly for its target audience, that it runs on a personal machine with one user, so it is reasonable to add the user to the admin group and generally let him/her administer the system. Therefore, the user can basically do everything. It is not a problem in itself, at first glance. It would become a problem if the user would have admin privileges without any additional effort, authentication, etc., the way it is (was? my education stops at XP) on WIndows. Here users belonging to the admin group will need to invoke sudo and enter a password before doing anything nasty, so it does not look as a problem - at first glance. If it said "NOPASSWD" it would be dangerous since a malicious program running with the default user privileges could do nasty stuff _quietly_ (I don't know how difficult it is to modify /var/log/secure etc. to remove the trace of mischief, but this is for forensics only, in any case) with sudo then. Without "NOPASSWD" there is a line of defence that counts on the user to stop and wonder why an innocuous program is asking him/her for password. Since most users, unlike you, won't think twice, it might (should? I guess it depends on the paranoia level in the blood flow) be considered problematic. > Is it like that in other distributions? I am more familiar with RH who are server-oriented so they do not assume a single user environment. By default each user is a member of his/her private group (I actually hate that, I find "users" a good default group), instead of "admin" group there is the more traditional "wheel" (I understand why Ubuntu prefer "admin" for their target audience), and the equivalent stanza for the wheel group (allowing the members to do everything with sudo) is commented out by default in sudoers. -- Oleg Goldshmidt | o...@goldshmidt.org _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
