Easy way/script to add another user like me?

[Alan McKinnon]

On Thursday, 2 March 2006 19:36, Joe(theWordy)Philbrook wrote:
> It would appear that on Feb 26, Tommy Trussell did say:
> > I believe on all recent versions of Ubuntu, I believe all you
> > have to do to give a user sudo privileges is to add them to the
> > admin group. (I'm not in front of my system right now or I'd tell
> > you for sure.) You CAN edit the sudoers file, but the way it's
> > set up you won't need to.

This is true. My /etc/sudoers looks like this:

develop etc # cat sudoers
...
# Members of the admin group may gain root privileges
%admin  ALL=(ALL) ALL

I am a member of the admin group
develop etc # cat group | grep admin
admin:x:106:alan


> I don't know about that, I thought there should be a little more to
> it, but you got me to do a simple test...

<snip description of setup>

> Anyway this is the result of trying to use sudo with joker after
> verifying membership in admin...
>
> # undefined -> /home/joker
> # > grep admin /etc/group
> # lpadmin:x:106:
> # admin:x:114:joker
> # undefined -> /home/joker
> # > sudo apt-get update
> # joker is not in the sudoers file.  This incident will be
> reported. # undefined -> /home/joker

Your /etc/sudoers doesn't have the magic admin line, probably as a 
result of doing an expert install and this step being skipped

<snip>

> For me the only security advantage that I believe "sudo" really has
> over "su root -c" (that an outside "attacker" has a better chance
> of cracking the root password because they already know the
> username is "root") is of no consequence when my system is behind a
> router that doesn't forward ANY ports thus preventing remote
> logins.

It's a two edged sword. You can make the root account very secure by 
renaming the root username - it doesn't have to be root, you can make 
it easterbunny and the kernel couldn't care less (it's UID 0 that 
identifies root) and disallow superuser logins on all terminals. Then 
a user must log in as himself and 'su -' which leaves an audit trail

The disadvantage is that there's no granularity. If any one knows the 
password they can become root and the admin can't control what they 
can do. Hence the valid need for sudo to limit what other users can 
do. I believe a better option would have been for sudo to require a 
strong *root* password, then elevate the user to do only what sudoers 
allows him to. But, it wasn't implemented that way.

sudo is technically weaker than su as on a standard ubuntu desktop 
install I can 'sudo /bin/bash' and effectively be fully root, needing 
only *my own* password. So there's a choice and we have to make a 
responsible decision to select the better one for a given 
circumstance

> So I don't see the advantage of learning how to manually set up
> said sudoer account. Now if there was a root script for adding
> sudoers that automatically walked me through all the steps that the
> installer would have done if I let it create my 1st user for me,
> I'd be very interested in checking it out.
>
> Though, if I were to start using sudo instead of an active root
> account I would want to set up a single special full root privilege
> access account. That any user whom I entrusted with the password to
> that account can then use su with the sudoers account password to
> get to where they can use sudo to do the root stuff. That's because
> I expressly don't want any generic account that is used for
> everyday stuff to have it's own password be enough to get access to
> root privileges...

The intention is that the first user account should be your own. If 
you set up the box, you are probably the person controlling it and 
you most likely want yourself to be able to become root.

To set it up after the fact, install sudo, create an admin group, add 
yourself to it and copy a sudoers file from a working installation. 
AFAIK that's all the installer does

-- 
Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five