[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sudo questions

On Sun, Aug 18, 2013 at 7:32 PM, Brian <ad44@cityscape.co.uk> wrote:
> On Sun 18 Aug 2013 at 06:51:04 +0900, Joel Rees wrote:
>
>> On Sun, Aug 18, 2013 at 4:03 AM, Brian <ad44@cityscape.co.uk> wrote:
>> > On Sun 18 Aug 2013 at 03:12:39 +0900, Joel Rees wrote:
>> >
>> >> But debian's installer tries to encourage the user to not enable root,
>> >
>> > No, it doesn't.
>>
>> Perhaps you would rather I said something like, it gives the option to
>> establish an initial account and tells the person performing the
>> install
>>
>>     if root login is enabled,
>>     the initial account will not be an admin account,
>>     but if root login is disabled,
>>     the initial account will be a member of the sudo group
>>     and thus an admin account,
>>     and, by the way, you might prefer to not enable root login.
>>
>> Is that closer to what the installer does in your opinion?
>
> Yes, closer but the installer doesn't adopt a stance on sudo versus
> root login. The wordings presented to the user are:
>
>  If you choose not to allow root to log in, then a user account will be
>  created and given the power to become root using the 'sudo' command.

Hmm. I think I was reading my prejudices into that.

> and
>
>  You need to set a password for 'root', the system administrative
>  account. A malicious or unqualified user with root access can have
>  disastrous results, so you should take care to choose a root password
>  that is not easy to guess. It should not be a word found in dictionaries,
>  or a word that could be easily associated with you.
>  .
>  A good password will contain a mixture of letters, numbers and punctuation
>  and should be changed at regular intervals.
>  .
>  The root user should not have an empty password.

Ah, I think I was misreading this part, again, according to my prejudices.

> If you leave this
>  empty, the root account will be disabled and the system's initial user
>  account will be given the power to become root using the "sudo"
>  command.

Maybe I need to file a feature request (for my own satisfaction, even
if it gets rejected).

What I lean towards is providing the installing user
(1) the opportunity to set the root password,
(2) the opportunity to set a separate admin account and password
(member of sudo group on debian),
and (3) the opportunity to set a separate non-admin work account and password.

(To go into more detail, I'd go so far as to present a few
l33t5pe@k-ed randomized-with-entropy example passphrases at each step,
though not actually putting anything into the password entry field.
I'm a bit aggressive about pushing good passwords. Of course, that
requires a largish spelling dictionary in the installer, to pull the
random passphrases from. :-/)

Anyway, I can see I've been reading the installer in the context of my
opinions about the ideal minimum number of accounts.

--
Joel Rees
Reply to: