Doug wrote: > I know Debian is different, Most of us say that in a good way. :-)
> but the distro I use and the man page for sudo, I believe, expects
> there to be a root password, that sudo will expect when invoked.
The most normal and traditional use of sudo is that sudo will expect
the user's password, not the root password.
The sudoers man page says:
Unlike su(1), when sudoers requires authentication, it validates
the invoking user's credentials, not the target user's (or
root's) credentials. This can be changed via the rootpw,
targetpw and runaspw flags, described later.
But as it says it is configurable. Therefore we can assume that some
admins will configure their system to use the root password. If it
can be done then someone will do it just because they can. But in my
experience that is not the typical case. Typically sudo will ask for
the user password. And I think that is the best strategy to use with
it. Otherwise you would simply use su.
> And there would also be a user password for each user. A user who is
> permitted to use sudo would be given the root password, and his name
> would be entered into the sudoers file.
That is certainly possible. But in my experience I have never seen
that admin strategy implemented.
Note that if you give the person the root password then there is no
need to enter their name in the suders file. If they want to use sudo
then they can enter their own name in that file.
Note that I use sudo a lot because the behavior is convenient. But I
do also know the root password on my systems. I also use su a lot.
The sudo tool is awesome for providing a nice safety net for users
given a limited superuser ability. But it is also awesome for the
typical full admin too.
> The main purpose of sudo, as I understand it, is to prevent a user
> from opening up su and then leaving it open--sudo will close after a
> selected interval of non use.
Uhm... What? That description isn't quite right.
By default they do different things. But it depends upon what you
type in at the command line. Close what? A terminal? If you invoke
a terminal with either su or sudo then it won't ever be automatically
closed. If you invoke a command then both su and sudo will run the
command to completion. No difference. In that case there isn't
anything to close.
The only time element is that sudo will keep track of the last time
you enterred your password. If you run the command again and it is
within the time out then it won't annoy you by asking you for the
password again. You can use sudo to run commands one after the other
and there is a persistent state. After the first password inquiry
then subsequent commands will remember that you are still typing at
your keyboard and that you are authorized. This resets after a
timeout of five minutes by default.
There is very little difference between:
su
sudo -s
sudo $SHELL
sudo su
Or between:
su -
su -l
sudo -i
sudo su -
sudo su -l
Or between:
su -c "foocommand"
sudo foocommand
> Some distros frown on the use of sudo, and do not make it easily
> available. I don't undrstand that.
I believe a software distribution is there to make installing and
using software easy and convenient. If a distro is making it
difficult to install and use software then I that does not seem to be
a successful strategy to me.
What distros make installing and using software difficult? Example?
> But I don't understand a distro where anyone who has access to the
> machine can use sudo.
A KNOPPIX live read-only cdrom image system makes perfect sense that
way. What else would you do? Also every other live read-only cd boot
image such as debian-live and others.
But I am curious if there are other examples that are not live cd boot
images.
> I guess I don't understand how a user whithout the root password,
> and only his own password could use sudo, which seems to be how
> Debian is set up.
Debian is NOT set up that way by default. It depends upon the
installation. Regardless it is available for installation and use
afterward and many of us always install it.
When sudo is configured that is the typical configuration. Sudo
typically asks for the user's password not the root password. That is
how it was designed to work. It is configurable otherwise. Perhaps
you have configured it otherwise on your system and have since
forgotten?
I believe Ubuntu does install sudo by default. And I think it is
specifically because users do not deal with passwords very well. Most
of the masses would prefer not to have a password at all. And I will
vouch for that too. I often see people struggle to understand why a
password is needed. And often these are very smart in their field
engineers! That is why we hear about fingerprint readers and other
biometrics. Therefore systems like Ubuntu have reduced the number of
passwords from two down to one by using this strategy. They are just
following the demand of their base users.
Please note that sudo is not a new thing. It is not an Ubuntu thing
as I sometimes hear. I have been using sudo on Unix systems for a
very long time and well before GNU/Linux systems. Sudo has been on
HP-UX, SunOS, Solaris, IBM AIX and others for many years. It isn't
anything new. It is a good worthy tool.
Bob
signature.asc
Description: Digital signature
