Re: Easy way/script to add another user like me?

On Thursday, 2 March 2006 19:36, Joe(theWordy)Philbrook wrote:
It would appear that on Feb 26, Tommy Trussell did say:
I believe on all recent versions of Ubuntu, I believe all you
have to do to give a user sudo privileges is to add them to the
admin group. (I'm not in front of my system right now or I'd tell
you for sure.) You CAN edit the sudoers file, but the way it's
set up you won't need to.

This is true. My /etc/sudoers looks like this:

develop etc # cat sudoers
...
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

I am a member of the admin group
develop etc # cat group | grep admin
admin:x:106:alan


I don't know about that, I thought there should be a little more to
it, but you got me to do a simple test...

<snip description of setup>

Anyway this is the result of trying to use sudo with joker after
verifying membership in admin...

# undefined -> /home/joker
# > grep admin /etc/group
# lpadmin:x:106:
# admin:x:114:joker
# undefined -> /home/joker
# > sudo apt-get update
# joker is not in the sudoers file. This incident will be
reported. # undefined -> /home/joker

Your /etc/sudoers doesn't have the magic admin line, probably as a
result of doing an expert install and this step being skipped

<snip>

For me the only security advantage that I believe "sudo" really has
over "su root -c" (that an outside "attacker" has a better chance
of cracking the root password because they already know the
username is "root") is of no consequence when my system is behind a
router that doesn't forward ANY ports thus preventing remote
logins.

It's a two edged sword. You can make the root account very secure by
renaming the root username - it doesn't have to be root, you can make
it easterbunny and the kernel couldn't care less (it's UID 0 that
identifies root) and disallow superuser logins on all terminals. Then
a user must log in as himself and 'su -' which leaves an audit trail

The disadvantage is that there's no granularity. If any one knows the
password they can become root and the admin can't control what they
can do. Hence the valid need for sudo to limit what other users can
do. I believe a better option would have been for sudo to require a
strong *root* password, then elevate the user to do only what sudoers
allows him to. But, it wasn't implemented that way.

sudo is technically weaker than su as on a standard ubuntu desktop
install I can 'sudo /bin/bash' and effectively be fully root, needing
only *my own* password. So there's a choice and we have to make a
responsible decision to select the better one for a given
circumstance

So I don't see the advantage of learning how to manually set up
said sudoer account. Now if there was a root script for adding
sudoers that automatically walked me through all the steps that the
installer would have done if I let it create my 1st user for me,
I'd be very interested in checking it out.

Though, if I were to start using sudo instead of an active root
account I would want to set up a single special full root privilege
access account. That any user whom I entrusted with the password to
that account can then use su with the sudoers account password to
get to where they can use sudo to do the root stuff. That's because
I expressly don't want any generic account that is used for
everyday stuff to have it's own password be enough to get access to
root privileges...

The intention is that the first user account should be your own. If
you set up the box, you are probably the person controlling it and
you most likely want yourself to be able to become root.

To set it up after the fact, install sudo, create an admin group, add
yourself to it and copy a sudoers file from a working installation.
AFAIK that's all the installer does

--
Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five

--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Relevant Pages

  • Re: Easy way/script to add another user like me?
    ... do to give a user sudo privileges is to add them to the admin group. ... I used my root account to add joker to the "admin group" via ...
    (Ubuntu)
  • Re: How do I give root permissions to another user?
    ... It sounds like your sudo isn't properly configured. ... That you could perhaps do with making a new group 'admin', ... people will have different rights. ... However, if you do it correctly, nobody will actualy need the root ...
    (alt.os.linux.suse)
  • Re: Apple recommending anti-virus software for Macs?
    ... > That's running as root, ... That's NOT the purpose of sudo. ... root account is an entirely different matter. ... # By default sudo will require the password of an admin ...
    (comp.sys.mac.system)
  • Re: Admin account suddenly changing to a standard one
    ... root password by typing su at the terminal's prompt. ... (with admin privileges, ... the system I could login but the account whose short name I changed - the ... sudo command gives you temporary root access, ...
    (comp.sys.mac.system)
  • Re: Root user permission
    ... Can someone offers a link of HOWTO about this topic 'root permission' ... You can use sudo if you are part of the sudo group (see the files ... you are part of the admin group. ... On the whole I don't think encouraging new users to set up a root account ...
    (Ubuntu)