that darned ROOT problem
Bo Grimes
newslists at isp.com
Wed Sep 28 17:45:07 UTC 2005
Mario Vukelic wrote:
>On Wed, 2005-09-28 at 07:52 -0700, Mike Bird wrote:
>
>
>>Giving unrequested sudo permission to the first user account is a
>>MAJOR
>>SECURITY HOLE.
>>
>>
>
>I don't see how it is. This is the user who installs the PC. *Of course*
>he/she has total control. You can't prevent it and ignoring it does not
>change it. What stops the installing user from putting a trojan
>into /usr/bin during the install? Nothing.
>
It's like this, I think. If I install and use the first user account
then I have only one level of password protection for the system.
Anyone who gets my user password has root, period. If I install and
then create a different user for me without sudo then I have effectively
done the same thing as with root on most distros, so why bother doing it
like this?
You either add the extra layer anyway or you operate under the illusion
that your system is secure. If it's to protect newbies from themselves
it's not--as they can just type in their password and bork the
system--and is a poor substitute for education about the purpose for and
uses of root.
More information about the ubuntu-users
mailing list