[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] disabled root account / distinct group for users with administrative privileges


2010/10/19 Michael Biebl <biebl@debian.org>:
> Hi,
> Bdale went ahead and added the following to /etc/sudoers:
> # Allow members of group sudo to not need a password
> # (Note that later entries override this, so you might need to move
> # it further down)
> %sudo ALL=(ALL) ALL

First of all: YES! Thanks! I didn't know the possibility of an install
with disabled root-login.
I use DebIan 90% in a professionell environment and disable root login
by hand. So yes, I would prefer an administrative group and would say:
disabled root login as default (like logins on GDM).
I don't like the idea to do sudo-things without password. I like it to
pass my secret, because this is a hint, that I do something
system-related. So: I think we need a password here.

> 1/ The sudo group in previous Debian releases had a different meaning: Members
> of groups sudo could run sudo without needing a password.
> 2/ Using the name sudo in context of PolicyKit sounds weird and misleading.

Yes, sudo is not a good name for an admin group.
Well, admin also, because "Domain admin", "admin" "and
"administrators" are to near to windows. I use winbind to get the
groups out of the active directory and would prefer unique names for
My suggestions are:

- debadm
- linad (linux-administrator)
- uwscp (just a joke: user-with-super-cow-powers; a lean to "his APT
has Super Cow Powers." ;) )


Reply to: