Ubuntu user's report

[Tim Wunder]

On Saturday 18 December 2004 11:45 am, someone claiming to be Net Llama! 
wrote:
> On 12/18/2004 08:22 AM, Myles Green wrote:
> > On Sat, 2004-18-12 at 07:37 -0800, Net Llama! wrote:
> >>On 12/18/2004 12:28 AM, Myles Green wrote:
> >>>Hi All, sorry for the length. If you're not interested in checking out a
> >>>new distro you might want to forgo this email.
> >>>
> >>>I recently installed Ubuntu on my usual system in place of my usual
> >>>distribution (Slackware) for no reason other than seeing what all the
> >>>hype was about. Having used Debian in the past (potato), and liking it,
> >>>I thought I was prepared for what I was about to encounter. Much to my
> >>>surprise, I found that I wasn't. No hassles, just pop the disc into the
> >>>drive, reboot, answer a (very) few questions, sit back and watch it
> >>>install the basic system. After that was done, pop the disc out of the
> >>>drive, reboot, answer a few more questions and, if you answered 'yes' to
> >>>downloading software, off it goes and installs updated software (most of
> >>>it security related). If you popped that disc back in after the reboot
> >>>it installs more off the disc along with the downloaded software and in
> >>>about 45 minutes (broadband Internet + high speed cdrom) you're looking
> >>>at GDM ready to login. That is, unless you elected to do a custom
> >>>install and set up a server which, I'm told, there are several folks
> >>>doing and using in production systems.
> >>>
> >>>At no time are you asked to enter a root password, by default the first
> >>>user created is added to the sudoers list. Now, I *did* have my
> >>>reservations about this idea but I do (sort of) understand their
> >>>reasoning. I also know how to type 'sudo passwd root' in order to
> >>>circumvent that idea (I believe that's all that's needed) but I've
> >>>pretty much gotten used to just typing sudo before any commands that
> >>>require root privileges - this is after all not a mission critical
> >>>system.
> >>
> >>Maybe i'm just missing something, but how is that more secure than using
> >>root?  If your box gets owned, now they don't even need to get root?
> >
> > As a desktop system no servers are installed so there no services
> > offered and minimum risk. A (several actually) firewall(s) is/are
> > available. Like I said, experienced users can enable the root account at
> > will. Nobody says you _have_ to use Ubuntu so, for folks like yourself,
> > "keep going people, nothing to see here".
> >
> > No offence Lonnie, but Red Hat and or Fedora aren't for everyone and
> > neither is Ubuntu or any other distribution. Isn't the freedom to choose
> > a wonderful thing?
> >
> > Happy Holidays,
>
> I wasn't attacking ubuntu.  I just don't understand why sudo makes the
> box more secure.

That depends, I guess, on the privileges passed out to the sudoer. If the 
sudoer has the same privileges as root, might as well login as root. But if 
the privileges are restricted to a subset of commands, then there is a 
modicum of security in place.

Regards, 
Tim

-- 
Fedora Core 2, Kernel 2.6.9-1.6_FC2,  KDE 3.3.1, Xorg 6.7.0
 12:30:01 up 9 days, 18:53,  4 users,  load average: 0.64, 0.23, 0.26
It's what you learn after you know it all that counts