root password setting unoffered at install
Gilles Gravier
Gilles at Gravier.org
Sun Nov 4 17:44:57 UTC 2007
This is more simplistic than having several users (roles) each with a
limited and well defined set of permissions... as would be for example
implemented with RBAC.
Since, with RBAC (Role Based Access Control) you can't by mistake do "rm
-rf /" and delete your own machine if you are currently active with the
"printer administrator" role, for example. If the "printer
administrator" role doesn't imply "full write access to filesystem" then
you just can't do that.
Whereas with the way SUDO is configured on Ubuntu, you can do "sudo rm
-rf /" just as easily as if you were root and did "rm -rf /" by mistake.
And believe me, it's easy to make a typo when doing something like "sudo
rm -rf /tmp/*" and end up with a command that goes "rm -rf /tmp /*"
because you hit the space bar at the wrong moment.
It is roughly equivalent to having a root user... with no available root
password. It normally is interesting as, that way, you can be yourself,
with no need to be root all the time, but with easy access to
administrative tasks... It's somewhat interesting to avoid mistakes. And
also interesting from a security perspective, since you don't have to
give root password to anybody. Just tell the sudo system that they are
(or are not) allowed to do administrative functions.
Sudo is also very interesting from a tracability perspective. If you use
root, once you log into the root account, commands ran as "root" lose
tracability. You could have several users logged in as root and you
don't know which one ran which command as root. With sudo, you keep a
log of which users actually sudoed each command. So from an auditing
perspective, it is much better that having a root user. (As long as
people don't "sudo bash").
Gilles.
Peter Garrett wrote:
> On Sun, 04 Nov 2007 18:28:19 +0100
> Gilles Gravier <Gilles at Gravier.org> wrote:
>
>
>> Simplistic in the sense that by default, your administrative user has
>> ALL THE ADMINISTRATIVE RIGHTS.
>>
>> In Ubuntu by default there the administrative roles (create users,
>> populate home directories, manage network, change peripherals, change
>> users passwords, and so many more) are simplistically merged into ONE
>> SINGLE ADMINISTRATIVE user.
>>
>
> How is this more simplistic than having a single root user who by
> definition has all administrative rights?
>
> Peter
>
>
--
/*Gilles Gravier*/ *=* *Gilles at Gravier.org* <mailto:Gilles at Gravier.org>
*=* *http://www.gravier.org/*
ICQ : *77488526*
<http://www.icq.com/whitepages/about_me.php?Uin=77488526> * || *MSN
Messenger : Gilles at Gravier.org <http://members.msn.com/Gilles@Gravier.org>*
*Skype : ggravier <callto://ggravier>* || *Y! : ggravier
<http://profiles.yahoo.com/ggravier> || AOL : gillesgravier
<aim:goim?screenname=gillesgravier>
PGP Key ID : *0x8DE6D026*
<http://pgp.mit.edu:11371/pks/lookup?search=0x8DE6D026&op=index>
My Last Known Position / Ma Derniere Position Connue
<http://www.gmap-track.com/user.php?user=ggravier>
"Chastity is its own punishment." (/Solomon Short/) [/David Gerrold/]
"De toutes les aberrations sexuelles, la chasteté est la plus
aberrante." [Anatole France]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20071104/df565b74/attachment.html>
More information about the ubuntu-users
mailing list