Wayne Hartell wrote: > As a new Linux/Debian user I have been doing the "not recommended" > thing (at least I think it says it's not recommended; it has been a > while since my last install) thing of not setting a password for > root. That way there's no hoops to jump through to the installer > puts my intended user account into the sudoers list. I don't think that is "not recommended" at all. It is fully supported. It is a well behaved path. It isn't well known though and I think that may be what you are reading as not recommended. But those of us that know what it does do "know what it does" and it is just one of the choices available. Not being as well known as the mainstream path in this case doesn't make it less well tested because less well known is still quite well known and quite well tested. Also I will point out that Ubuntu does this by default. Ubuntu's default is one way and Debian's default is the other way. > Now the steps to do this manually are re-described above I realize > that under Gnome it's not actually that hard to do (when making my > install selections I had memories of the manual way trying to edit > the sudoers file, which for a new user is a little daunting. I > recall it taking me a few attempts to get it to work. The installer > gave me an easy way out). Debian creates a 'sudo' group. Any user in the sudo group has sudo access. This is done by the default /etc/sudoers config line: # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL There is some history as to why that is done that way. For one thing it allowed a style of system config where that /etc/sudoers file is never modified. If it is never modified then the package manager can update it without any interaction from the user. The traditional /etc/sudoers config where individual modifications are made for each user requires the package manager to notify the admin upon every upgrade that the file is different in the new package and the admin must merge those together. That trips people sometimes such as when secure_path was added to the config. Admins that said "keep" their current config then had problems with PATH until they figured out that they were missing secure_path. They should have merged their custom config with the new config. It was a self induced problem but one that happens. By keeping the /etc/sudoers file package pristine that problem is avoided. I now recommend putting any custom config into something like /etc/sudoers.d/zz-sudoers-local instead. That will never be packaged and will never need a merge. > That brings me to my point; due to my installer choices, I cannot > log in under root on the three systems that I have installed so > far. Right now I have no reason to believe that this is or ever will > be an issue since I can use sudo and that feels safer to me. Does > anyone have any different opinions on this? (These are home systems > and predominantly for learning Linux/Debian at this point, as > opposed to being core systems that are depended upon for daily use, > although one day in the not too distant future I hope to change > this). You probably don't realize it but you are asking a religious question. There is no single right answer. But people do feel very strongly about the issue and people do feel strongly that other people's opinions are wrong about it. If you search the archives there have been flamewars on it before. The sect that thinks allowing root logins is ultimately bad have some belief that because root isn't blocked from logging in that attackers can somehow magically actually log in as root. That just isn't true. For you in your environment I don't see it ever being a problem. You should definitely feel free to continue. You will even find people who believe blocking root is The One True Way. Anyone doing anything different they feel is doing something heinously wrong. For me in my environment I have often needed to log into remote server systems as root because the system was in trouble and needed a root login to take corrective action. I have many times had cases where logging in as a non-root user was ineffective because the non-root user was unable to fork sudo due to the system being sick and needing help. With the ability to log in as root I was able to diagnose the problems, take corrective action on the remote server, and get it back online. Most importantly diagnose problems. Without visibility I would only have been able to power cycle the server and would have had no diagnostic ability and no idea what it was doing. For me being able to log in as root is The One True Way. There is a huge difference and a large sameness between enterprise servers and your portable laptop. They can both be running exactly the same Debian system. It is the Universial Operating System after all. And yet your home desktop or laptop is not anything at all like an enterprise server system. It is interesting that they are so much the same and yet so different. It is the differences that cause people to practice such different admin strategies. It is the same that causes conflict in them because we are all here discussion our favorite Debian system. It is almost like talking about fixing a tuna sandwich for lunch. We might be opening a lunch box 100 feet up in the air on a construction site or we might be a chef in a 5-star restaurant in a prestigious New York restaurant worried about reviews, revenue, and health inspections. Both completely different from each other. Both doing the same thing. But with completely different concerns. Bob
Attachment:
signature.asc
Description: Digital signature