Well, well. First of all, I think the decision to change the existing system is wrong. For one thing, I think it’s wrong that SUSE is just following others’ lead here. I never think that’s a good thing.
Secondly, it’s much harder to manage when there are multiple instances. And finally – and this is the most important point – it removes a layer of security.
Oh, and there’s a clear difference between giving someone rights for printer configuration and giving them the same rights for the entire system.
And this is the first I’ve heard of there apparently being a separate permissions system for every single thing. Who’s aware of this? I’d say less than 1% of users, and where is it documented? It can’t be in the manual, as there still isn’t one for Leap 16.
Or in the Wiki? If so, where exactly?
sudo configuration is (very) tricky. To have a taste of it check for instance https://documentation.suse.com/sles/15-SP7/html/SLES-all/cha-adm-sudo.html#sec-sudo-conf and if you are not faint of heart browse through man sudoers.
Easy guess no ordinary user would dare to touch that with a 3 meter pole.
But the option to switch one of three basic options by (un-)installing a single package
S | Name | Summary | Type
---+-----------------------------+----------------------------------------------------+--------
| sudo-policy-sudo-auth-self | Users in the sudo group can authenticate as admin | package
| sudo-policy-wheel-auth-self | Users in the wheel group can authenticate as admin | package
is within the reach of even the most basic home-office admin.
I cannot get this: only root can add a user to the wheel group to enable use of sudo and that is more secure than giving away the root password, isn’t it?
Nope. The previous behaviour only made any sense in a single user situation. The current makes sense everywhere, which is why it’s the default basically everywhere else.
No it’s not
No it doesn’t.
That’s not quite right.
Firstly, the first user created automatically becomes root. And secondly, one level is always removed – namely, the level involving a username and password.
Previously: To gain root privileges, you had to know and enter two usernames and two passwords. Now, you only need one username and one password.
No. Repeating something over and over again doesn’t make it any more true.
Yes, it is.
Yes, it is.
@ecsos: The change in Leap 16 doesn’t remove a security layer. It replaces the legacy “shared root password” model with per-user privilege escalation via sudo.
While older setups required a separate root password, that approach is harder to audit and often less secure in practice.
As already explained by user OrsoBruno you’re free to use the legacy (older) security model if you prefer.
I do agree that it should have been explained in the release notes, and I reached out here to suggest it
https://lists.opensuse.org/archives/list/support@lists.opensuse.org/thread/QCCCHGQWP7XFHWA2LDYYAXDQNRBZ6HIW/
Lubos Kocman (Leap Release Manager) contacted me following that post, but it does not seem to have yet made it into the RN.
Please, whatever your preference in this subject, note that you can still have the “old” way of doing this. It is only a case of configuration. And yes, the default of the configuration was changed so that new installs have the "new"policy. And changing defaults always creates havoc (specially if one is not aware of it). But once you are aware, then configure to your needs.
Hmm. How would you describe the fact that I used to need two usernames and two passwords to delete a hard drive, but now I only need one username and one password?
You didn’t. You can perfectly log in as root (knowing the password) without needing the credentials of another user.
(And for “deleting a hard drive” you only need a hammer.)
@ecsos: I’ll split this topic away from the original so it can be discussed separately in Open Chat and to avoid derailing the original thread.
+1 to what Henk replied.
That’s what I’m saying.
And that eliminates a security layer.
I only need a username and a password to, say, wipe the hard drive.
Before, I needed two usernames and two passwords.
And because of that last sentence, which has nothing to do with the topic but instead makes a mockery of it, I shouldn’t have responded at all.
Please read and study my remark again (you can leave out the last sentence for that).
You did not (when using the old defaults) and do not (when using the new defaults) need another user’s credentials. You can simply log in as root and then do all that root can do.
The *buntu way:
- no root password is ever defined
- the first user has “wheel” privileges, becoming the de-facto admin of the system (without that the system would not be manageable)
- other users may or may not be added to the “wheel” group by the first user (or by other trusted users) .
The (new) openSUSE way:
- at install you are asked if you want to define a root password or not
- if you define one, you can do everything like in “the old way”
- if not, the first user created has “wheel” privileges (without that the system would not be manageable)
- other users may or may not be added to the “wheel” group (by the root user or other admin users)
- each user added to the “wheel” group is deemed a “trusted” user and anyway receives less privileges than those granted by a given away root password
- if a user is no more “trusted” it can be removed from the “wheel” group (by the root user if defined or by one of the other trusted admins)
- and, most important, you can revert to the “old way” if you like to.
So basically now the system admin (call it “root” or define user 1000 as “fake_root”) has two choices:
- add other users to the “wheel” group and give them limited privileges (remember that sudo can be configured and limited)
- or give away the root password (remember that root power cannot be limited).
I cannot see how the new way (if managed properly) can be less secure than giving away the root password; and anyway, I repeat, you can revert to the old way if you like so.
Thank you! Appreciated!
It’s pretty tedious to keep writing the same thing over and over again.
Before, you needed two passwords. Now, just one!
To put it another way.
If I look over the shoulder of someone who has root privileges—that is, who is in the wheel group—then I can later log in using their credentials and do everything a root user can do.
Before, I didn’t have the root password.
Furthermore, the statement “if you define one, you can do everything like in the old way” isn’t true either.
Because then groups and so on are missing.
Sorry, I will repeat this only once more. You only need the root password and login (e.g. in a virtual console, using Ctrl-Alt-Fn) as root and do any system management action you want.
If you allow someone to look over your shoulder while typing passwords, no matter what password, then you pay no attention to security.
Here I do not understand what you try to say. You can always add/change/remove groups and/or add users to groups (as root of course). When you specific mean the wheel group, that was always present. Also in the times that in the default situation it was not used at all. Easy for those that in earlier times wanted “to have it the same as name-your-destribution”.
But it is easy enough. Everybody has her/his own system management environment. One system vs. a few systems vs. many systems. Need for distribution of one/some/all system management tasks to one or more other users or not. Etc., etc. Based on that you decide what to do. There is no “best practice” (but there bad ones). Use what you need and like.
The fact that the defaults used by the installaion and useradd differ now from before maybe surprising and even annoying. But now you know, thanks to the forums.
And for those who wonder if I have a personal preference here (i tried to avoid to make propaganda for it until now). I do not have sudo installed on the systems I manage. So at least part of the whole thing will not touch me.
So that is a system with only one admin and the admin password is not given away.
The old way:
- the admin is user# 0, username root, groups root wheel
- the password for user# 0 must be set and used to do admin work
- you “normal user” must steal the password for user# 0 to do admin work.
The new way:
- the admin is user# 1000, username foo, groups foo wheel (and possibly others, not relevant here)
- the password for user# 1000 must be set and used to do admin work
- you “normal user” must steal the password for user# 1000 to do admin work.
The only difference I see is the admin username (“foo” vs. “root”) and the user# (1000 vs. 0).
I may be just color blind and not seeing the relevance of that difference?
A regular user should not have root privileges!!!
There’s a world of difference between theory and practice.
And if you’re not willing to understand that, then there’s no point in continuing the discussion.