I’ve been using *suse since 7.2, and really haven’t bothered with a lot of other distros. But with desktop virtualization having become so easy, I figured it was time to broaden my horizons, and figure out what all the Ubuntu hubbub was about…
Aside from all the orange (thanks but no thanks, I like green just fine), the thing that struck me as radically different was the way sudo & root are handled; root has no password - you must sudo stuff, but with your own password.
I like this approach, in the appropriate hands (like mine). I figure, if I know the root password anyway, why not just use mine. I don’t like the ‘emulation’ of this provided from YAST the last few versions with the option to have the root set the same as one user’s password, as this isn’t very multi-user friendly.
So, I’d like to know what you guys think of the Ubuntu-style of handling sudo: benefits, pitfalls, and what would it take to run an openSUSE system that way?
Throw away thought: Ubu’s way is unsafe unless you can totally block sudo from selected other users who are inexperienced (e.g. the 10 yr old kdz from next door).
Ubuntu’s way is supposed to stop people from logging in as root, but at the expense of making the root password effectively the same as any privileged user (in group wheel, I think). So it’s not without problems. If a user can be social engineered to do an unsafe sudo operation, then that opens up the system. Sorry, but I’d rather stick with the traditional model and keep the root password different. But then I’m a stick in the mud, what do you expect?
To make your setup for sudo like Ubuntu, if that’s what you want:
visudo and change the config to give superuser permission to users in the group wheel with the user’s password
Put the privileged users in the group wheel.
Test.
Disable root login by editing the password hash to be an impossible hash (does not correspond to any plaintext).
You might also want to make a wheel user’s path include /sbin and /usr/sbin (in front) so that you don’t have to type in the full path when using sudo.
Keeps all the users as regulair users and special access when you need it on the separate root account.
Sudo is nice to add to let users start certain applications that need the rights…
The way Ubuntu implements sudo, in my eyes, makes it too easy to do something that can jepordize or flush your system… Maybe not to bad for a desktop, but I don’t like that thought on servers.
To be fair to Ubuntu it’s only users that have been put in group wheel (this is done by “make user administrator” in GNOME). The first user is in, of course. Very Windowish.