Re: Please, don't let sudo be auto-removable
- To: debian-user@lists.debian.org
- Subject: Re: Please, don't let sudo be auto-removable
- From: David Wright <deblis@lionunicorn.co.uk>
- Date: Thu, 31 Jul 2025 22:35:34 -0500
- Message-id: <[🔎] aIw2Bmc8tdpQEKx0@axis.corp>
- Reply-to: debian-user@lists.debian.org
- In-reply-to: <aIu+8s2SNaVtAtZd@mail.bitfolk.com>
- References: <530c7212-c2c1-4e24-b169-dd4c0ecf9bdd@chafar.net> <DACA7CA0-38EC-4C0B-B7C4-92ED77C116B3@cyberfusion.nl> <e110de92-8f5d-44ad-a6a4-f13d0f72cfca@darac.org.uk> <9f1c6bbb99bac17a6a6eadd78b4edfae8956c273.camel@janc.be> <aIu+8s2SNaVtAtZd@mail.bitfolk.com>
On Thu 31 Jul 2025 at 19:07:30 (+0000), Andy Smith wrote:
> On Thu, Jul 31, 2025 at 08:01:56PM +0200, Jan Claeys wrote:
> > On Wed, 2025-07-30 at 19:55 +0100, Darac Marjal wrote:
> > > There's an argument that sudo should refuse to uninstall itself (e.g.
> > > in a prerm script) if the root user doesn't have a password at all.
> > > That would be a neat trick.
> >
> > There are many other tools that allow you to run things as root under
> > certain conditions (doas, pkexec, runc, ssh, etc.). There is no way
> > sudo's prerm script can check all possible ways (which would also
> > include being able to "understand" all possible configurations of each
> > tool!).
>
> We have learned in this thread that sudo does already have a check in its
> prerm that prevents its removal if the system has a root account with no
> password or if root is a locked account.
>
> It seems reasonable to argue that if sudo is already installed then the user
> might use it and erring on the side of caution by assuming that there
> may not be another way to obtain root privileges is appropriate. Yes
> that will occasionally be unnecessary if the user intends to switch to a
> sudo alternative. The removal can be forced in that case.
Do other flavours of linux and unix do this? I view this sort of
protection in the same way as, for example, making "rm -i" the default
behaviour of rm. It leads people to assume there's always a safety net
when their actions are reckless.
> For those not familiar with the dpkg scripts, you can see it at:
>
> /var/lib/dpkg/info/sudo.prerm
>
> If you strongly disagree that this is reasonable then you're actually
> asking for a change in the sudo packaging to remove that check…
No, the d-i effectively makes a contract with these words:
“The root user should not have an empty password.
If you leave this empty, the root account will be
disabled and the system's initial user account
will be given the power to become root using the
"sudo" command.”
So I think that confirming removal when the root password is empty
is a check that always has to be made.
Cheers,
David.
Reply to: