On 25/10/13 13:03, Doug wrote: > On 10/24/2013 09:26 PM, Bob Proulx wrote: >> Ralf Mardorf wrote: >>> Reading the list for a while, I won the impression that Debian by >>> default now comes with sudo enabled. >> >> It is one of the two possible choices that can be made during the >> installation. There isn't a default. >> >> The user either chooses to enter a root password and also a user >> account and user password. Or chooses to only have a user account and >> user password without a root password. In the latter case, if at >> install time only a user account and user password is input, then the >> debian-install will set up sudo. It won't set up sudo if a root >> password was entered. So whether it is set up after an install >> depends upon the installation. >> > > /snip/ >> Bob >> > > I know Debian is different, but the distro I use and the man page > for sudo, I believe, expects there to be a root password, that sudo > will expect when invoked. And there would also be a user password > for each user. A user who is permitted to use sudo would be given the > root password, and his name would be entered into the sudoers file. > (Perhaps a different password can be assigned, I don't know.)
Sounds like the enterprise security policy I'm familiar with (not useful for "home users") that enforces good, unique passwords (and no sudo). > The main purpose of sudo, as I understand it, is to prevent a user > from opening up su and then leaving it open--sudo will close after > a selected interval of non use. Interesting. An aspect other than convenience for mostly "home user" desktops (other uses of Debian tend to use expert or seeded builds) that I hadn't considered... However, couldn't the same timestamp mechanism be used to timeout su sessions? Also, I'm not the only one who enforces effectively the same policy via a different method:- # sh -c 'echo "[ $USER = root ] && export TMOUT=120" >> /etc/profile' and/or # sh -c 'echo "[ $GROUP = wheel/adm/staff/backup/whatever ] && export TMOUT=120" >> /etc/profile' <snipped> > I don't understand how a user whithout the root password, and only > his own password could use sudo, which seems to be how Debian is set > up. Not just Debian. And it's by using the "NOPASSWD" option (with, as Bob has clarified) in the first user created's sudoers profile > > --doug > Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5269e177.5080...@gmail.com
