In case you're still confused, I'll try a little more direct response. (Lots of informative responses in this thread, but I feel a blog coming on. The rant I wrote on this a long time ago needs updating.)
On Wed, Aug 14, 2013 at 7:14 PM, François Patte <francois.pa...@mi.parisdescartes.fr> wrote: > Bonjour, > > For some unknown reason I did not activate the root account during the > installation. I activated it from a user account, say John Doe. johndoe sounds like a great name for an admin account. Much better than admin. But debian's installer tries to encourage the user to not enable root, and to set up a non-root administrator account instead. (That part needs a little work. I suppose I should make some time to come up with some patches to offer them.) > Now John Doe can become root anytime and do anything on my machine. Well, yeah, that's what the primary admin account should be able to do. > How can I deactivate this? man visudo and the related stuff. (But what's this thing with sudo-edit or something? And why, oh, why do they insist that pico should be the default editor for configuration files? Well, you may find pico more comfortable than vim. I don't. Vim is much more well-behaved when I'm editing configurations.) > I have seen that John Doe is a member of > almost all groups in /etc/group and /etc/gshadow... man adduser or maybe usermod or deluser. The interface looks a little clumsy for removing johndoe from all those groups, yes. Careful editing with vigr (with and without the -s option) may be quicker. > Is there a simple method to remove John Doe from these files and are > there other files to modify? It's going to be a little clumsy, take maybe ten minutes. But, but, but, ... Wait a minute! Now that I've told you how to figure out how to untangle johndoe from his admin privileges, do you really want to do that? Maybe you would prefer to make another non-admin account, and leave johndoe intact as your non-root admin account? (I and a number of other users here strongly encourage you to consider this. I'll try to blog about the reasons why sometime next week, but my blogs are not on the lists here, and you want answers now. Well, read the whole thread, the basic answers are pretty well covered, if not all in one place.) > I asked a question about this inconvenience of the sudo way to activate > root account: lightdm accepts to login root for a graphical session, I > found a method to forbid this: add this line in /etc/pam.d/ligthdm: > > auth required pam_succeed_if.so user != root quiet Excellent idea. > I don't understand this "fashion": sudo and no root account.... It is > the same under ubuntu. What for? The simple answer is that sudo allows more fine-grained control over what you allow administrator accounts to do. Along with that fine-grained control, it provides a bit more of a buffer between you and, say, "rm -rf /*", or the even more evil version without the file glob. Even experienced admins find themselves trying to shoot themselves in the foot from time to time. Working as much as possible as a non-root user helps to prevent toes and whole legs from being blown off. So to speak. (My old rant suggested that installs should encourage setting up both a non-root admin and a non-admin user. I still think that's the best approach, but some of the devs think it just gets too much in the way.) > Thanks. > > -- > François Patte -- Joel Rees -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAAr43iPPByX1-HBOOntOx=oyooymsn4s9+xhkrn3xedoiu5...@mail.gmail.com