Re: [SOLVED] Re: Security hole in LXDE?

To: debian-user@lists.debian.org
Subject: Re: [SOLVED] Re: Security hole in LXDE?
From: Joe <joe@jretrading.com>
Date: Mon, 6 Mar 2017 19:57:25 +0000
Message-id: <[🔎] 20170306195725.43c40f86@jresid.jretrading.com>
In-reply-to: <[🔎] 20170306193640.GG1151@copernicus.org.uk>
References: <7419461.KfDLPVJcsL@protheus1> <20170227095657.GA24217@chew.redmars.org> <9627241.pBTbCqPFJB@protheus7> <[🔎] 1848698.xaGGJNiZUA@protheus1> <[🔎] 20170306183146.1ef40dea@jresid.jretrading.com> <[🔎] 20170306184045.GB11830@eeg.ccf.org> <[🔎] 20170306185918.33992538@jresid.jretrading.com> <[🔎] 20170306193640.GG1151@copernicus.org.uk>

On Mon, 6 Mar 2017 19:36:40 +0000
Brian <ad44@cityscape.co.uk> wrote:

> On Mon 06 Mar 2017 at 18:59:18 +0000, Joe wrote:
> 
> > On Mon, 6 Mar 2017 13:40:45 -0500
> > Greg Wooledge <wooledg@eeg.ccf.org> wrote:
> >   
> > > On Mon, Mar 06, 2017 at 06:31:46PM +0000, Joe wrote:  
> > > > Debian appears to use the group 'sudo' as an administrative
> > > > group, where some other distributions use 'wheel'.
> > > > 
> > > > I would not have thought that users would be added to it by
> > > > default, there are no members on my sid/xfce4 workstation.
> > > > Indeed, up to Jessie, sudo was not installed at all by default,
> > > > and may still not be.    
> > > 
> > > If you use the regular Debian installer, the user account that you
> > > create during installation gets added to a lot of these special
> > > groups (sudo, cdrom, floppy, audio, video, ...?).  Users that you
> > > create post-installtion using adduser or useradd do not.
> > >   
> > 
> > New behaviour, then, my current sid was installed as wheezy, I added
> > sudo manually early on, but as it was not installed by default, it
> > would not have added the installing user to a sudo group. I'm
> > certainly not a member of that group, and have no wish to be.  
> 
> The "first user" is not in the sudo group. The place to check this
> is the templates file in the user-setup-udeb package.
>  
> > Possibly I'm missing something, but doesn't this repeat the Windows
> > mistake of automatically giving the user admin privileges? Isn't
> > that the main reason for the existence of so many Windows viruses?  
> 
> Look at it this way. The "first user" wishes to set up a printer. Is
> it better for the user to be granted very limited privileges by being
> in the lpadmin group or to become root to carry out the task?
> 

Who said anything about lpadmin? The question is about the wisdom of
automatically including someone in the sudo group, which in a default
Debian sudoers file, gives full root privileges to everything, using the
user's password.

We have someone saying this happens, someone else saying it doesn't, I
don't know as I haven't done a recent installation, and the thread was
started by someone who says it did happen to him.

-- 
Joe

Reply to:

Follow-Ups:
- Re: [SOLVED] Re: Security hole in LXDE?
  - From: Curt <curty@free.fr>
- Re: [SOLVED] Re: Security hole in LXDE?
  - From: Brian <ad44@cityscape.co.uk>

References:
- [SOLVED] Re: Security hole in LXDE?
  - From: Hans <hans.ullrich@loop.de>
- Re: [SOLVED] Re: Security hole in LXDE?
  - From: Joe <joe@jretrading.com>
- Re: [SOLVED] Re: Security hole in LXDE?
  - From: Greg Wooledge <wooledg@eeg.ccf.org>
- Re: [SOLVED] Re: Security hole in LXDE?
  - From: Joe <joe@jretrading.com>
- Re: [SOLVED] Re: Security hole in LXDE?
  - From: Brian <ad44@cityscape.co.uk>

Prev by Date: Re: [SOLVED] Re: Security hole in LXDE?
Next by Date: Re: [SOLVED] Re: Security hole in LXDE?
Previous by thread: Re: [SOLVED] Re: Security hole in LXDE?
Next by thread: Re: [SOLVED] Re: Security hole in LXDE?
Index(es):
- Date
- Thread