FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Desktop

 
 
LinkBack Thread Tools
 
Old 05-04-2010, 08:56 PM
William Jon McCann
 
Default sudo by default?

Hey,

So what is our view of setting up sudo by default for standalone
systems? Probably has some relationship with the systems on which we
prevent root logins.

It is worth noting that many of us have to set up ourselves each time
we install Fedora. Might be nice if something like it was done by
default.

Is sudo the right answer or should we be thinking about pkexec? Thoughts?

Thanks,
Jon
--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 05-04-2010, 08:59 PM
Bill Nottingham
 
Default sudo by default?

William Jon McCann (william.jon.mccann@gmail.com) said:
> So what is our view of setting up sudo by default for standalone
> systems? Probably has some relationship with the systems on which we
> prevent root logins.
>
> It is worth noting that many of us have to set up ourselves each time
> we install Fedora. Might be nice if something like it was done by
> default.
>
> Is sudo the right answer or should we be thinking about pkexec? Thoughts?

I thought the idea was setting up desktop_admin_r, and that for the
standalone systems, we were trying to avoid having to rely on anything
that would need to be exposed via sudo.

As for me, I tend to just uncomment some of the more drastic lines in
pam.d/su.

Bill
--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 05-04-2010, 09:07 PM
Jesse Keating
 
Default sudo by default?

On Tue, 2010-05-04 at 16:56 -0400, William Jon McCann wrote:
> Hey,
>
> So what is our view of setting up sudo by default for standalone
> systems? Probably has some relationship with the systems on which we
> prevent root logins.
>
> It is worth noting that many of us have to set up ourselves each time
> we install Fedora. Might be nice if something like it was done by
> default.
>
> Is sudo the right answer or should we be thinking about pkexec? Thoughts?
>
> Thanks,
> Jon

I like sudo, it is a more traditional tool than pkexec. While it does
remove the need from having to know the root password, it doesn't
obviate the need for a root user who has all the fun. Sudo would just
get you access to some/all of it.

That said, I think it would be useful in our new user creation that if
we said that this user is the local admin (for whatever that does to
your policykit settings) we also grant them sudo access. Probably the
best way to deal with this is not to munge the /etc/sudoers file, but
instead ship a config file that allows for a certain group or pk role to
have sudo rights, and then when we create the user(s) we either add them
to that group or role or not. That way they can pick up sudo rights
without us having to modify the rpm shipped config file. But now I'm
off in implementation land...

--
Jesse Keating
Fedora -- Freedom˛ is a feature!
identi.ca: http://identi.ca/jkeating
--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 05-04-2010, 09:19 PM
Brad Banko
 
Default sudo by default?

I hope you don't mind me chiming in...* I am a user who has used sudo and been pleased with having the flexibility to give root commands, do system wide searches without having to login as root...
*
Does having sudo privileges (not restricted, but equivalent to root) give you the power to "take root"... change root's password?* (e.g., ' sudo passwd root ...' )* *I know that I don't appreciate the security issues fully of logging in as root (restricted to a terminal) versus using sudo in a terminal window ( sudo authority has a time expiration on it and requires the sudoers password to initiate ).

.
*
And if sudo doesn't give a user the ability to "take root", what does one do if one forgets their root password?*


On Tue, May 4, 2010 at 5:07 PM, Jesse Keating <jkeating@redhat.com> wrote:


On Tue, 2010-05-04 at 16:56 -0400, William Jon McCann wrote:
> Hey,
>
> So what is our view of setting up sudo by default for standalone
> systems? *Probably has some relationship with the systems on which we

> prevent root logins.
>
> It is worth noting that many of us have to set up ourselves each time
> we install Fedora. *Might be nice if something like it was done by
> default.
>
> Is sudo the right answer or should we be thinking about pkexec? *Thoughts?

>
> Thanks,
> Jon

I like sudo, it is a more traditional tool than pkexec. *While it does
remove the need from having to know the root password, it doesn't
obviate the need for a root user who has all the fun. *Sudo would just

get you access to some/all of it.

That said, I think it would be useful in our new user creation that if
we said that this user is the local admin (for whatever that does to
your policykit settings) we also grant them sudo access. *Probably the

best way to deal with this is not to munge the /etc/sudoers file, but
instead ship a config file that allows for a certain group or pk role to
have sudo rights, and then when we create the user(s) we either add them

to that group or role or not. *That way they can pick up sudo rights
without us having to modify the rpm shipped config file. *But now I'm
off in implementation land...




--
Jesse Keating
Fedora -- Freedom˛ is a feature!
identi.ca: http://identi.ca/jkeating


--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop



--
========

Plan or attend a Linux Installfest near you soon.

Ubuntu, fedora, OpenSUSE... take your pick... *Soon there will be Google OS,,, maybe even Google Android for the desktop.


OpenOffice for your document management...



--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 05-04-2010, 09:32 PM
Lennart Poettering
 
Default sudo by default?

On Tue, 04.05.10 16:56, William Jon McCann (william.jon.mccann@gmail.com) wrote:

> Hey,
>
> So what is our view of setting up sudo by default for standalone
> systems? Probably has some relationship with the systems on which we
> prevent root logins.
>
> It is worth noting that many of us have to set up ourselves each time
> we install Fedora. Might be nice if something like it was done by
> default.

I am all for it. Would be nice if we could give the wheel group a useful
meaning by default.

IIRC there was a discussion on fedora-devel a year ago or so, where some
people shot this down however.

> Is sudo the right answer or should we be thinking about pkexec? Thoughts?

David, is PK able to forget stored permissions after a time? i.e. with
sudo you have to reenter your password only every 10min or so. If you
use sudo within 10min it will authenticate you right-away. I like that
feature a lot, and would love something similar in PK.

sudo caches the authentication per-tty. i.e. if you have two xterms on
your screen and type your password into sudo once, it will remember the
password on that one xterm for the next 10min, but for the other xterm
you have to authenicate seperately. How does PK handle this? Is
authentication bound to the X display? Or the session?

I am still missing something like "pkexec -s", similar to "sudo
-s". Would be good to have that, before advertising pkexec use to users
more strongly.

Lennart

--
Lennart Poettering Red Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/ GnuPG 0x1A015CC4
--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 05-04-2010, 09:32 PM
Jesse Keating
 
Default sudo by default?

On Tue, 2010-05-04 at 17:19 -0400, Brad Banko wrote:
> I hope you don't mind me chiming in... I am a user who has used sudo and
> been pleased with having the flexibility to give root commands, do system
> wide searches without having to login as root...
>
> Does having sudo privileges (not restricted, but equivalent to root) give
> you the power to "take root"... change root's password? (e.g., ' sudo
> passwd root ...' ) I know that I don't appreciate the security issues
> fully of logging in as root (restricted to a terminal) versus using sudo in
> a terminal window ( sudo authority has a time expiration on it and requires
> the sudoers password to initiate ).
> .

A basic configuration would allow a sudo caller to change the root
password.

> And if sudo doesn't give a user the ability to "take root", what does one do
> if one forgets their root password?

Boot the system to single user mode or boot rescue media and change it
that way.

--
Jesse Keating
Fedora -- Freedom˛ is a feature!
identi.ca: http://identi.ca/jkeating
--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 05-04-2010, 09:36 PM
Lennart Poettering
 
Default sudo by default?

On Tue, 04.05.10 14:07, Jesse Keating (jkeating@redhat.com) wrote:

> On Tue, 2010-05-04 at 16:56 -0400, William Jon McCann wrote:
> > Hey,
> >
> > So what is our view of setting up sudo by default for standalone
> > systems? Probably has some relationship with the systems on which we
> > prevent root logins.
> >
> > It is worth noting that many of us have to set up ourselves each time
> > we install Fedora. Might be nice if something like it was done by
> > default.
> >
> > Is sudo the right answer or should we be thinking about pkexec? Thoughts?
> >
> > Thanks,
> > Jon
>
> I like sudo, it is a more traditional tool than pkexec. While it does
> remove the need from having to know the root password, it doesn't
> obviate the need for a root user who has all the fun. Sudo would just
> get you access to some/all of it.
>
> That said, I think it would be useful in our new user creation that if
> we said that this user is the local admin (for whatever that does to
> your policykit settings) we also grant them sudo access. Probably the
> best way to deal with this is not to munge the /etc/sudoers file, but
> instead ship a config file that allows for a certain group or pk role to
> have sudo rights, and then when we create the user(s) we either add them
> to that group or role or not. That way they can pick up sudo rights
> without us having to modify the rpm shipped config file. But now I'm
> off in implementation land...

the default sudoers already contains a commented line that makes sudo
work for the venerable wheel group that way. I'd suggest simply enabling
that, as it is the path of least surprise to most, I'd guess.

BTW: another reason to enable sudo by default is to unify things a
little across distributions: to my knowledge Ubuntu (and related
distros) set up sudo like that. It would be nice if folks coming from
their would have an easy path to administrating Fedora systems.

Lennart

--
Lennart Poettering Red Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/ GnuPG 0x1A015CC4
--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 05-04-2010, 10:02 PM
Jesse Keating
 
Default sudo by default?

On Tue, 2010-05-04 at 23:36 +0200, Lennart Poettering wrote:
> On Tue, 04.05.10 14:07, Jesse Keating (jkeating@redhat.com) wrote:
>
> > On Tue, 2010-05-04 at 16:56 -0400, William Jon McCann wrote:
> > > Hey,
> > >
> > > So what is our view of setting up sudo by default for standalone
> > > systems? Probably has some relationship with the systems on which we
> > > prevent root logins.
> > >
> > > It is worth noting that many of us have to set up ourselves each time
> > > we install Fedora. Might be nice if something like it was done by
> > > default.
> > >
> > > Is sudo the right answer or should we be thinking about pkexec? Thoughts?
> > >
> > > Thanks,
> > > Jon
> >
> > I like sudo, it is a more traditional tool than pkexec. While it does
> > remove the need from having to know the root password, it doesn't
> > obviate the need for a root user who has all the fun. Sudo would just
> > get you access to some/all of it.
> >
> > That said, I think it would be useful in our new user creation that if
> > we said that this user is the local admin (for whatever that does to
> > your policykit settings) we also grant them sudo access. Probably the
> > best way to deal with this is not to munge the /etc/sudoers file, but
> > instead ship a config file that allows for a certain group or pk role to
> > have sudo rights, and then when we create the user(s) we either add them
> > to that group or role or not. That way they can pick up sudo rights
> > without us having to modify the rpm shipped config file. But now I'm
> > off in implementation land...
>
> the default sudoers already contains a commented line that makes sudo
> work for the venerable wheel group that way. I'd suggest simply enabling
> that, as it is the path of least surprise to most, I'd guess.
>
> BTW: another reason to enable sudo by default is to unify things a
> little across distributions: to my knowledge Ubuntu (and related
> distros) set up sudo like that. It would be nice if folks coming from
> their would have an easy path to administrating Fedora systems.
>

Making the wheel group uncommented is indeed one step toward the
solution. The second step would be appropriately populating that wheel
group. That's going to require change on the user creation wizard.

However I was curious what the thoughts were on having rights management
be done both at the policykit level, as well as the traditional unix
group level. Is that a (technical) design issue?

--
Jesse Keating
Fedora -- Freedom˛ is a feature!
identi.ca: http://identi.ca/jkeating
--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 05-04-2010, 10:46 PM
Bastien Nocera
 
Default sudo by default?

On Tue, 2010-05-04 at 23:36 +0200, Lennart Poettering wrote:
> On Tue, 04.05.10 14:07, Jesse Keating (jkeating@redhat.com) wrote:
>
> > On Tue, 2010-05-04 at 16:56 -0400, William Jon McCann wrote:
> > > Hey,
> > >
> > > So what is our view of setting up sudo by default for standalone
> > > systems? Probably has some relationship with the systems on which we
> > > prevent root logins.
> > >
> > > It is worth noting that many of us have to set up ourselves each time
> > > we install Fedora. Might be nice if something like it was done by
> > > default.
> > >
> > > Is sudo the right answer or should we be thinking about pkexec? Thoughts?
> > >
> > > Thanks,
> > > Jon
> >
> > I like sudo, it is a more traditional tool than pkexec. While it does
> > remove the need from having to know the root password, it doesn't
> > obviate the need for a root user who has all the fun. Sudo would just
> > get you access to some/all of it.
> >
> > That said, I think it would be useful in our new user creation that if
> > we said that this user is the local admin (for whatever that does to
> > your policykit settings) we also grant them sudo access. Probably the
> > best way to deal with this is not to munge the /etc/sudoers file, but
> > instead ship a config file that allows for a certain group or pk role to
> > have sudo rights, and then when we create the user(s) we either add them
> > to that group or role or not. That way they can pick up sudo rights
> > without us having to modify the rpm shipped config file. But now I'm
> > off in implementation land...
>
> the default sudoers already contains a commented line that makes sudo
> work for the venerable wheel group that way. I'd suggest simply enabling
> that, as it is the path of least surprise to most, I'd guess.

Could we make the wheel group equivalent to the desktop_admin_r role in
PolicyKit, so that we can use the accounts-service/accounts-dialogue to
enable sudo access as soon as you're tagging that user with the admin
role?


--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 05-05-2010, 08:22 AM
Yaakov Nemoy
 
Default sudo by default?

2010/5/4 Lennart Poettering <mzerqung@0pointer.de>:
> BTW: another reason to enable sudo by default is to unify things a
> little across distributions: to my knowledge Ubuntu (and related
> distros) set up sudo like that. It would be nice if folks coming from
> their would have an easy path to administrating Fedora systems.

I disagree with this logic. It's too much like the 'if your friends
all jumped off the brooklyn bridge, would you do it too?' logic
parents use to convince kids not to do drugs.

I don't want to compare Ubuntu's decisions about security to drug use,
but the way you phrase it here, you make it sound like Ubuntu's setup
is already the best for users out there, and i'm not 100% convinced.
If there is a well defined policy that the consensus agrees is good,
then i'm all in favour of seeing that implemented as widely as
possible, for exactly the reasons you mention above.

There's two other points to be made. Let's say we have a well defined
security policy that the consensus agrees on. I'm willing to bet more
than anything that having it widely deployed will negate some of the
value it provides. Having multiple policies on different systems make
it that much harder for malware writers to trick users into doing
stupid things, and there's a certain fundamental advantage to using
multiple good policies on different systems for diversity. This is
assuming that multiple good policies exist.

The other point is that i'm personally not convinced automatically
giving sudo is the best option out there. (You can see my bias here.)
I think there is a strong difference in contexts between:

A) The user knows what he's doing, he owns the box, and he wants to
change something relatively benign such as the date or time of the
machine, install packages from good repos, something that can be
handled by PolicyKit.

B) The user knows what he's doing, he owns the box, and he wants to be
able to change anything at will using the old tried and true
administration techniques using sudo, such as changing the root
password, installing packages from source and so on.

These aren't judgement calls on what's better for the user to be
allowed to do. There is a value though in communicating clearly that
these are two seperate contexts, and having an option in the new user
creation is definitely one way to communicate the difference between
someone with the right SELinux context and someone in the wheel group.

-Yaakov
--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 

Thread Tools




All times are GMT. The time now is 10:09 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org