Jump to content

Thinking of trying Ubuntu?

bigjohn
 Share

Recommended Posts

  • Replies 60
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Gowator Platinum

Gowator

Posted
Posted
This was basically my starting point for problems... I set out trying to disable this (basically hacking in the proper sense) but it was like chasing ghosts... you follow one thing to the next etc. etc. actually taking my user from sudoers just broke things...
So, I suppose your real problem with it is that, you expected it to act like some other distribution, and didn't except it for what it was designed to be like?

Pretty much Yes....

 

Perhaps in some ways that's because I'm a stubborn stick in the mud.... but its also justified in that the most secure is what you know... and what you can get experts to help you with... and also what you can actually discuss pro's and con's with.

 

Now the problem for me is... just like someone posted here ... sudo passwd will set the root password... BUT it doesn't remove the sudo permissions. If you post the question "How do I disable sudo and leave the system still working" on the Ubuntu forums you will get any number of answers showing how to set the root password ... quite a few telling you to go back to Windows but none telling you how to remove sudo from the integration...

 

As mysty demonstrated she just wants to do it the "normal way"... but you are unlikely to find that on the Ubuntu forums and like arctic said even when you do it doesn't behave "normally"... normally being how the developers of sudu intended...

 

This has quite a lot of consequences.... I prefer on the whole to leave package management to the distro tools, be that Debian or Mandriva or Ubuntu but sometimes you can't... for example there is a bug in mysql-admin in several versions and the only way to get round it is downloading from CVS... so I have my own .deb for mysql-admin .. which I made myself... using CVS sources...

 

Now obviously mysql-admin is fairly important security wise... you are accessing mysql as the mysql priv user...

but ... when I compile it I compile it in the way the folks at mysql intended and I can be reasonably confident that they have security in mind... their livelihood depends on it...

 

Now if I start hacking mysql-admin to work with the sudo policy in Ubuntu then I will probably reduce the security of the application because I know a lot less about mysql than the devels... (and equally the Ubuntu maintainers know far less than the mysql devels)

 

This in itself is a chain reaction... if I use db based identification then I compromise that... etc.

 

What Im saying is the Ubuntu maintainers and packages know far less about mysql than the mysql devels... and less about sudu than the sudo devels.. etc. and equally the developers for mysql, KDE, Gnome, <insert here> know far more about their application(s) than Ubuntu devs (or Debian ones for that matter) ... and that by having to hack each package they are compromising the security work of the original developers... (and in the case of a commercial company like mysql that is a lot of work and taken very seriously)

 

The more "sensitive" the application the more likely the consequences are ... and the less predictable they will be... and just as importantly the less relevant information on security alerts is... going back to what mysti said...

I just want it to work like that... like any other distro... because that is what I am comfortable with but it is also what the developers had in mind... and I think the developers in most cases understand their application much better than I do!

Link to comment
Share on other sites
arctic Platinum

arctic

Posted
Posted
Any user in the admin group can sudo

If you set up root by launching

 

sudo passwd root

 

then root is not in the admin group, iirc, or at least not the default password-requested user. How shall a newcomer to Ubuntu know about it? How is he supposed to know which config files need to be hacked in order to change that so there is a "normal" behaviour? And: How shall he know that he must remove the normal user from the admin group? And why do the GUI tools prefer the user password over the root password, even if both are in the admin group? That is imho highly irritating.

 

My old request is still there: Please ask the user during install if he wants sudo or a traditional root account. It cannot be that hard. E.g. Debian has this option and it is only ONE simple question you have to answer. Come on... porting that over from Debian cannot be that difficult (as Ubuntu is based on Debian).

Link to comment
Share on other sites
Gowator Platinum

Gowator

Posted
Posted

By default it uses sudo. You can activate a root account but once you have done that, most administration tools will still ask you for the sudo password which is the password of the first user account you set up.

https://help.ubuntu.com/community/RootSudo

 

Any user in the admin group can sudo

Any user in sudoers can sudo.... and if this says ALL:ALL then any user password-less or not can sudo...

this includes user http or others... like mail etc.

SECURITY NOTESsudoers

sudo tries to be safe when executing external commands. Variables that

control how dynamic loading and binding is done can be used to subvert

the program that sudo runs. To combat this the LD_*, _RLD_*,

SHLIB_PATH (HP-UX only), and LIBPATH (AIX only) environment variables

are removed from the environment passed on to all commands executed.

sudo will also remove the IFS, CDPATH, ENV, BASH_ENV, KRB_CONF, KRB?

CONFDIR, KRBTKFILE, KRB5_CONFIG, LOCALDOMAIN, RES_OPTIONS, HOSTALIASES,

NLSPATH, PATH_LOCALE, TERMINFO, TERMINFO_DIRS and TERMPATH variables as

they too can pose a threat.

CAVEATS

There is no easy way to prevent a user from gaining a root shell if

that user is allowed to run arbitrary commands via sudo. ...............

If users have sudo ALL there is nothing to prevent them from creating

their own program that gives them a root shell regardless of any ’!’

elements in the user specification.

Link to comment
Share on other sites
Gowator Platinum

Gowator

Posted
Posted
Any user in the admin group can sudo

If you set up root by launching

 

sudo passwd root

 

then root is not in the admin group, iirc, or at least not the default password-requested user. How shall a newcomer to Ubuntu know about it? How is he supposed to know which config files need to be hacked in order to change that so there is a "normal" behaviour? And: How shall he know that he must remove the normal user from the admin group? And why do the GUI tools prefer the user password over the root password, even if both are in the admin group? That is imho highly irritating.

 

My old request is still there: Please ask the user during install if he wants sudo or a traditional root account. It cannot be that hard. E.g. Debian has this option and it is only ONE simple question you have to answer. Come on... porting that over from Debian cannot be that difficult (as Ubuntu is based on Debian).

Arctic, my experience from trying to achieve this is that its no longer that simple....

Debian packages are built around a conventional model... but Ubuntu packages are already hacked to work with the Ubuntu sudo model....

I tried to implement this then found that packages edit sudo... themselves and expect it to be there and set up in the Ubuntu way...

 

I don't think this was the intention of Ubuntu... I think its something that has happened... and the solution to a problem that was somehow self created.

 

I think the bottom line is it was something set as an ideal that looked easily achievable and turned out to be a bit more involved than they thought...

 

As a parallel .. I once worked on a remote access project for branch offices from round the world...

The guy "selling" the project made a statement that ALL users would have the same desktop .... as if they were in the local office.

Now users from the US or UK to France, this worked fine ... for branch offices in Africa with a 6 second latency and 64 kb/s via satellite it could NEVER work...

 

They could run the apps... fine.. what they couldn't do was run the desktop and the apps...

 

This one sticking point was never relinquished ... I spent a lot of time testing and actually built a test rig that introduced latency and BW restrictions... and proved this beyond any doubt but they guy who had stood in front of managers asking for money for the project simply refused to listen... or even read the results.

 

It was all or nothing for him and all simply wasn't possible...

This is where I think Ubuntu went wrong... someone said "users will never have to type a root password" and had an idea how to do it... that idea turned out to be flawed because it involved far more work than was thought and involved far more than just a few apps and noone will admit it turned out to be a money pit.

Link to comment
Share on other sites
tyme Platinum

tyme

Posted
Posted
How shall a newcomer to Ubuntu know about it?
Ubuntu isn't really aimed at experienced Linux users, it's aimed at Linux newbies coming from Windows. For that it's perfect - confusing Windows users with questions about root would take away from the point of Ubuntu, which is to make Linux "easier" than most standard distributions. Not less secure, just less confusing.

 

Like I said before, if you don't like the philosophy of one Linux distribution, use a different one ;) - Ubuntu will do things the way they see fit, and IMHO the people who made these decisions probably know more about Linux than any of us could ever hope to :lol2:

Link to comment
Share on other sites
arctic Platinum

arctic

Posted
Posted

Well, they definitely know more about it than I do. I am a noob compared to them, although I was part of a distro-devel team. And I forgot most things very soon after I have quit my work on the project. :)

Link to comment
Share on other sites
jlc Mandriva Guru

jlc

Posted
Posted

Alright, I tried Ubuntu for about the last 3 weeks, two box's laptop and one desktop. It's ok, seems a little slower response wise that FC6. Other than the same sudo complaints others have it "would" make a nice desktop, however both of my box's programs crashed left and right, I couldn't believe how many times the bug buddy stepped up to the plate. I've ran/tested Ubuntu before, but WOW, the bugs over took me, I started filling some, but after last night when nothing but BUG BUG BUG flashed on my screen for 5 minutes with all types, I happyily went back to Fedora :)

 

YMMV, but 2, thats 1, 2 Box's bugged all over the place, thats good enough for me to say bai bai....

Link to comment
Share on other sites
Artificial Intelligence Mandriva Guru

Artificial Intelligence

Posted
Posted

Never experienced any bugs considering all kind of stuff I ran on it. Other than Beryl which are non-official an are in alpha stage. But alot of new stuff are being tested in Edgy also things that are marked beta. Mark have the devs free hands on edgy to play around with it to test all kind of new stuff.

 

 

About the sudo issue people here are complaining about; I have both used su and sudo and prefer sudo alot more, but I think it's a habit issue mostly and what people are used to.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...