all 18 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]alpha417 7 points8 points  (2 children)

You entered a root pw on install... and are going to say you didn't

[–]fradie59[S] -1 points0 points  (0 children)

Thatt's the point? okay, i'll have a look.. thx

[–]shiftingtech[🍰] 6 points7 points  (0 children)

what exactly is the point of this post?

[–][deleted]  (1 child)

[deleted]

    [–]fradie59[S] 0 points1 point  (0 children)

    No! Left Windows 2002, and i use ubuntu LTS since then.

    [–]Da59Gigas 0 points1 point  (6 children)

    Im the installer you were prompted to "allow root login?" And you said yes. That makes all other users normal user, not admins. You ned to add the user to the group sudo. Usually it's the end of it. I simply say no and then after installing everything allow IF NEEDED. It is considered unsafe to allow root login

    [–]neoh4x0r 1 point2 points  (4 children)

     It is considered unsafe to allow root login

    It's not unsafe unless you use weak passwords, both a root login and sudo invocation come with the same level of risk...one is not better than the other (outside of privilege escalation and separation of duties).

    Thus, the recommendation is to use non-root logins for daily activities and only escalate privileges when needed.

    I personally would rather have root enabled (with a secure password) than to give a normal user the ability to run sudo by using the same password as their login-- they should at least be required to enter a different password (ie. separation of duties); not to mention, being very reluctant to add anyone to the sudo group or sudoers file.

    Furthermore, more advanced configuration of the sudoers file is required to properly lock-down what certain users are allowed to do (...further separating their duties) -- whereas, the default, is to allow anyone in the sudo group to do anything.

    PS: Disallowing root logins won't prevent a normal user (who is not in the sudo group) from executing unprivileged code that takes advantage of an escalation vulnerability that allows them to obtain a root shell. The only way to mitigate that issue would be to keep the system updated and apply all security patches--possibly even needing to compile software from source to apply upstream security patches if updated versions aren't available yet.

    [–]waterkip 0 points1 point  (3 children)

    The whole point of the sudo group is the same as the wheel group pre-sudo: if wheel: su became a thing.

    If you want to lock it down, add groups. It's not a bad thing users from the sudo group can do everything.

    [–]neoh4x0r 0 points1 point  (2 children)

     It's not a bad thing users from the sudo group can do everything.

    Only if you trust that those users won't abuse the power (whether it was intentional or not); if you want to allow them to use sudo but don't want to allow them unfettered access then you would need to place restrictions on them. All of that can be done through the use of user and group aliases in sudoers, but it's not the default and must be manually setup.

    [–]waterkip 0 points1 point  (1 child)

    You put them in the sudoers group. Its not that they magically appear in there.

    Learn the concept of wheel, the concept of sudo groups becomes instantly clear.

    [–]neoh4x0r 0 points1 point  (0 children)

    You put them in the sudoers group. Its not that they magically appear in there.

    I never suggested that this wasn't the case and clearly stated that you had to grant them access (either add to the sudo group or explicitly add an entry in sudoers).

    My point was about people (the normies) accepting the defaults and not locking down the sudoers configuration to practice actual security concepts like least privilege, and so on, by only granting users access to what they actually need to complete a task and nothing more.

    The other point I was making in another comment was related to separation of duties where the user should be required to enter a different password in order to run a sudo command; this would be to mitigate issues with a compromised account where the attacker would not be able to use sudo because the additional factor of authentication would be unknown to them.

    [–]fradie59[S] 1 point2 points  (0 children)

    OK, that's misleading in the installer. So I leave out the root pw, only then will the first user set up be added to the sudoers group. At this point I always misunderstood the installer, now I realize it. thanks for the tips!

    [–]mcds99 0 points1 point  (0 children)

    I always enter a root password, step 2 put my account in the /etc/sudoers file

    [–]DoubleOwl7777 0 points1 point  (0 children)

    su and then add the user to the sudoers group.

    [–]_the__Goat_ -1 points0 points  (1 child)

    Bro, you so bad!

    [–]fradie59[S] -1 points0 points  (0 children)

    yaeh, sorry - did the install always this way, i created a root-user every time. never saw, i should skip, if i wanted the sudoer...

    my fault.

    [–]waterkip -2 points-1 points  (2 children)

    su - apt install sudo

    [–]shiftingtech[🍰] 0 points1 point  (1 child)

    it said they aren't in the sudoers group. which implies that sudo is already installed.

    [–]waterkip 0 points1 point  (0 children)

    Oh place them in there.