Easy way/script to add another user like me?

Joe(theWordy)Philbrook jtwdyp at ttlc.net
Fri Mar 3 19:56:04 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



It would appear that on Mar 3, Alan McKinnon did say:

 - - - - - - - - -< s n i p >- - - - - - - - - -
> Your /etc/sudoers doesn't have the magic admin line, probably as a 
> result of doing an expert install and this step being skipped
 - - - - - - - - -< s n i p >- - - - - - - - - -

Correct: that "%admin  ALL=(ALL) ALL" line is missing...
 
> > For me the only security advantage that I believe "sudo" really has
> > over "su root -c" (that an outside "attacker" has a better chance
> > of cracking the root password because they already know the
> > username is "root") is of no consequence when my system is behind a
> > router that doesn't forward ANY ports thus preventing remote
> > logins.
> 
> It's a two edged sword. You can make the root account very secure by 
> renaming the root username - it doesn't have to be root, you can make 
> it easterbunny and the kernel couldn't care less (it's UID 0 that 
> identifies root) and disallow superuser logins on all terminals. Then 
> a user must log in as himself and 'su -' which leaves an audit trail

Yeah, I've heard of that, but I've also heard that some software may
fail if root isn't named root???

Ummnn, how does one disallow all superuser logins anyway???

> The disadvantage is that there's no granularity. If any one knows the 
> password they can become root and the admin can't control what they 
> can do. Hence the valid need for sudo to limit what other users can 
> do. I believe a better option would have been for sudo to require a 
> strong *root* password, then elevate the user to do only what sudoers 
> allows him to. But, it wasn't implemented that way.

Yeah, I'd have liked that a little better... Though since the method
they choose to prevent root logins was to disable the root password it
would have to have been a special sudoer account password. This might
have been a bit of work to set up.

> sudo is technically weaker than su as on a standard ubuntu desktop 
> install I can 'sudo /bin/bash' and effectively be fully root, needing 
> only *my own* password. So there's a choice and we have to make a 
> responsible decision to select the better one for a given 
> circumstance
 
> > Though, if I were to start using sudo instead of an active root
> > account I would want to set up a single special full root privilege
> > access account. That any user whom I entrusted with the password to
> > that account can then use su with the sudoers account password to
> > get to where they can use sudo to do the root stuff. That's because
> > I expressly don't want any generic account that is used for
> > everyday stuff to have it's own password be enough to get access to
> > root privileges...
> 
> The intention is that the first user account should be your own. If 
> you set up the box, you are probably the person controlling it and 
> you most likely want yourself to be able to become root.

It was exactly that assumption that made my non-conformist nature decide
I wasn't going to use sudo at all in the first place.

If I were to use sudo it would NEVER be the same account I routinely use
to send and receive e-mail and or surf the web with that I would want
given sudoer permission to... To me this is almost as bad as running as
root all the time. as sooner or later one will fail to notice that
someone was standing behind you when you login to your everyday login.
which gives them a chance to watch you type your password...

When I login to a root account I look behind me first... etc...

Also in my case I routinely start up a new installation with a junk
username with a VERY trivial password that I only use to test generic user
permissions settings and to configure certain user preferences prior to
copying the (dot)files to etc/skel before I ever create my own regular
user, for which, incidentally, I insist on specifying the uid, So that
files I own on one of my other distro's can be readily accessed as long
as the partitions are mounted... 

So when on my 1st ubuntu installation attempt I learned that my junk user
had by default been set up as as close to a superuser as I was going to
get. And that if I wanted a root account I was going to have to use that
_JUNK_ user's sudo permissions to enable it. I was so offended that I
immediately rebooted to another distro and used mkfs on the ubuntu
partition.

If I hadn't learned that a usable root login would be created via the
expert installation mode I would not have allowed ubuntu to be reinstalled
on my pc...  And if that said mode had insisted on creating a sudoer
account before I was ready to specify one, (which would not have been
until I'd installed a couple of things with apt-get...) My 1st root
command would have been a "deluser --remove-all-files junkuser"

Then AFTER my system was configured I'd have made a real user, and if I
hadn't been offended by the way the standard ubuntu install hadn't even
informed me what it was doing when it had forced the first user account
I happened to create to be _THE_ sudoer, that's when I'd have probably
been willing to create an admin account that could be accessed via su to
get to where I could do a sudo.

IF that worked then I might study enough of the sudo docs to learn to
establish a couple of lower permission level admin accounts with less
than full root capability. But since the default ubuntu install tried to
cram sudo down my throat I'm not very likely to embrace using it on ubuntu.

> To set it up after the fact, install sudo, create an admin group, add 
> yourself to it and copy a sudoers file from a working installation. 
> AFAIK that's all the installer does

For purposes of testing and general learning I'll try adding that
"magic line" to my sudoers file and see if that gives joker sudo
privileges. Then if jtwdyp can "su - joker" then use jokers sudo
permissions to do an admin task I'll think about it some more.

Well that did work... I guess I'll have to think about it...

	Joe

   #############################################################
   ##_if_you'd_prefer_an_clearsigned_".asc"_text_file_of_this_##
   ##message_as_an_mime_encoded_attachment,just_ask_me_while__##
   ##it's_STILL_IN_my_outbox_folder_._._._=+=+=+=+=+=+=+=+;-)_##
   #gpg sig for: Joe (theWordy) Philbrook DSA key ID 0x6C2163DE#
   # You can find my public gpg key at http://pgpkeys.mit.edu/ #
   #############################################################
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFECJ6aRZ/61mwhY94RAnSIAJ4/cqQ0BUHI8Z3BjJlLlOKP6/yOLQCeMQCo
OgXvXqMG6fFNAHB9rpvpuBQ=
=Xpzn
-----END PGP SIGNATURE-----
-- 
|				      ---   ---
|     Joe (theWordy) Philbrook	      <o>   <o>
|	   J(tWdy)P			  ^
|	<<jtwdyp at ttlc.net>>		/---\	"bla bla bla..."
|					\___/	"...and bla..."

   At least I know my mouth is running, I just can't find the off button!





More information about the ubuntu-users mailing list