how to get a real root/user seperation?

Joe(theWordy)Philbrook jtwdyp at ttlc.net
Sun Nov 16 19:49:35 UTC 2008 

It would appear that on Oct 9, John DeCarlo did say:

> 
> Dex, the two things you are talking about are completely different.
> 
> With Kubuntu and Ubuntu, only the first user you set up will have sudo
> privileges, by default.
> 
> So if you want to set up a few boxes and not have users mess with them, set
> up an administrator account first on each one.
> 
> Then you are done, and don't need to worry.

Of course if he is really more comfortable with the root account model
and is used to how to keep one secure, then there IS another
alternative...

Step one is to set the root password so that there IS one...

Step two is to use visudo to edit the sudoers file and set the rootpw
flag by adding it to the Defaults line...

IE: if it currently looks like:

Defaults        env_reset

make it look like:

Defaults        env_reset,rootpw

Then when (_any_user_with_sudo_privileges) uses sudo, or one of the
gui admin apps that in kubuntu look for sudo authorization, it will
expect them to supply the root passwd instead of their own every day
use one...

It will of course still want them to have sudo privileges.
Which by default in Kubuntu seems to mean that they are in
the admin group.

I learned this because I never believed that my own every day
use password would remain secure from casual observation by
shoulder surfers. I need to enter it to login for every day
mundane tasks. And to unlock my kde session etc... Thus sooner
or later I'll stop waiting till there isn't anybody else in the room
where they _could_ be watching me enter it.

When I need to do something that actually needs the root passwd I tend to
think of it as a more dangerous process. And since I don't need to enter
it twenty times a day, I'm more likely to take the extra care it takes to
prevent the password from being compromised. 

I could have simply set up an admin as first user on the box
as you suggest. But then unless I wanted to add my personal
everyday use account to the admin group (which would have made
my every day use password too powerful...), I'd have had to
log in as that admin before I could use sudo or one of
those nice gui admin tools.


-- 
|   ---   ___
|   <0>   <->	   Joe (theWordy) Philbrook
|	^		J(tWdy)P
|    ~\___/~	     <<jtwdyp at ttlc.net>>

More information about the kubuntu-users mailing list