The sudo command asks for the root password

English Applications
1

Why does the system ask for the root password by default after issuing the sudo command? Is there a security or other reason for this? Another question is how, in the case of openSUSE in particular, how can the easiest way to add a user to the sudoers file, or is there a special setting in the configuration file to prompt the user for the user password instead of root after the sudo command?

2

You seem to be used to Linux distributions with other security policies.

It is indeed so that for running processes “as root” you need to know the root password.

Maybe this is of interest: https://en.opensuse.org/SDB%3ALogin_as_root

Personally, I never use sudo. Apart from starting YaST (which of course asks for the root password), I use (in KDE) from the Main menu > System > Terminal - Super User Mode, which uses

su -

Using that direct from a user terminal/console is of course also a good option.

1 Like
3

And when you really want to change this in the sudoers file then read

man sudoers

(and be sure you really understand the implications).

And yes, the sudoers file as installed by default in openSUSE forces that people must always prove they know the root password to do things “as root”.

4

In the meantime, I found the official solution to this. Interestingly, unlike other distributions, SUSE does not allow you to use your own password for sudo by default. Using sudo to allow non-root users to perform root level functions | Support | SUSE
I think the same policy applies to openSUSE.

5

With me being the only administrator on my machines sudo is of little use and more an annoyance. On distributions allowing sudo only I run sudo passwd. That allows me to use su -.

6 

 # cat /etc/sudoers
 .
 .
## In the default (unconfigured) configuration, sudo asks for the root password.
## This allows use of an ordinary user account for administration of a freshly
## installed system. When configuring sudo, delete the two
## following lines:
Defaults targetpw   # ask for the password of the target user i.e. root
ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!
 .
 .
 #

I, personally, never delete those two lines – I comment them out …

7

Please, use “visudo” when editing the ‘etc/sudoers’ file.

  • Also, please, consider dropping drop-in files into the ‘/etc/sudoers.d/’ directory.

Further information, apart from the man pages, is available in an openSUSE SDB document – <https://en.opensuse.org/SDB:Administer_with_sudo&gt;.
There’s also a YaST module which is normally installed by default → “yast2-sudo”.

8

There’s a draft SUSE document related to configuring “sudo” – <https://documentation.suse.com/smart/linux/html/task-configure-sudo/index.html>.

9

The lesson is that one distribution has this philosophy about using sudo by default, and the other has a different one. It is difficult to decide which is better.

10

Hi
Better for system administration, let them (Admins) configure as required and document :wink: I use it for one command here, /usr/bin/build for osc, else it’s su -.

11

It is really a personal decision. I am from old school Unix and I am very much aware of the builtin division between root and users and the inherent security it offers. Different roles even if the same person is executing both functions.

I assume the approach you have seen in other distributions, is more to the taste of former MS Windows users, where there is no real division (until some years ago even no one at all) between administrator and user and above that, there is in fact only one user where Unix/Linux accommodates a multi-user environment.

12

As for all decisions made, someone (hopefully a knowledgable group) has made the decision … >:)

  • We’re lucky – in this case, the decision wasn’t burnt into code – it can be changed by changing the configuration – by a System Administrator …
    *=2]Which is what System Administrators do anyway …
13

my vote is on sudo with user pw. Regardless of security this is just what I am used to at work. There the Linux hosts/vms are hooked to some idm and they naturally won’t give me the root pw. I might get sudo on my user and pw, if I sign two pounds of A4 forms containing NDAs, waivers, security foo. So, I usually switch my private computers to user pw for sudo. Just to get this straight: I am not discussing or doubting a vendor’s decision for or against a certain setup. After all, this is Linux, just change it to whatever suits your taste

14

Hi
That’s the openSUSE expectation :wink:

15

Yes, that may be OK for some System Administration scenarios but, it depends how pernickety the people responsible for system security are … >:)

16

Well you can set the user password and root password to be the same. In fact last I checked the installer did that unless you choose not to. Since Ubuntu and other distros that do this generally do not have a root user as such just the first user password is used for root situations

17

If you are a member of the old Unix school, you will probably remember the controversy in the Debian community about the introduction of sudo years ago, how much resentment it caused at the time. I myself prefer the root role if I need explicit privileges to perform a system-wide operation. Nevertheless, I found the openSUSE approach strange to require a root password after issuing the sudo command, because I’m so used to it that sudo, like Windows, requires the user’s password in most distributions. Moreover, in the mostly installation, you can choose whether to create a root user or whether the first user created during the installation will be an administrator.

18

It is a bit difficult to answer this.

When I talk about “old Unix school”, I mean things like HP-UX, SUN-OS/Solaris, AIX, …
I remember that sudo emerged as a product of some university and was rejected by us because it wasn’t covered by the support and responsibility (it is much about security) of HP, SUN, IBM, etc. How could we explain to our customers that we introduced software from “somewhere else” on the systems they used? When something went wrong, who to sue?

No, It is impossible to remember “the controversy in the Debian community about the introduction of sudo years ago” simply because one can not remember things one never knew about.

And talking about wether to “create a root user” or not is nonsense IMHO. There is always the root user, which is defined as the user with UID=0.

And processes that have to run owned by the root user are still processes that have to be owned by the root user to allow them to do the tasks to be done. The kernel will not except certain calls to it (amongst them those that are contrary to file access permissions) when not done by a root owned process.

Are you aware of the underlying mechanism to start a root owned process as child of a user owned process (because that is what we are talking about)?
That functions the same on every system regardless of the usage of sudo or something else, and when using sudo it is independent of the way sudo is configured. Only the checks on “is this allowed or not” depend on the tool used (there may even be no checks at all). And in the sudo tool these checks are configurable.

openSUSE has the policy to always ask for the root password for YaST, … and sudo. So the distributed sudo configuration is made to follow the policy. Everybody can change to her/his liking (or addiction to habit).

19

Well said Henk.

20

Meaning that, the user “root” (User ID value = 0) can either be locked – logins disabled – even from the console terminal – or, logins to the user “root” are allowed.

There are some secure systems which have the user “root” setup such that, login is only possibly at the system’s console terminal – which is locked away in a secure cage with the rest of the physical system in a secure computer room, which it’s self is located physically in a secure computing facility/complex …

  • Network user access – forget it – such systems are usually only Name Servers …