Sudo for first user

Joonas Sarajärvi muepsj at gmail.com
Sun Oct 5 09:06:03 UTC 2008 

2008/10/5 Rahul Sundaram <sundaram at fedoraproject.org>:
> Colin Walters wrote:
>>
>> On Sat, Oct 4, 2008 at 12:14 PM, Rahul Sundaram
>> <sundaram at fedoraproject.org> wrote:
>>>
>>> Hi
>>>
>>> You can add the following snippet to the fedora-desktop ks file into a
>>> init
>>> script to make sudo just work for the first user. It can't be added to
>>> %post
>>> since firstboot wouldn't have launched then. Let me know what you think:
>>
>> I agree the overall concept makes sense.  Some questions to consider:
>>
>> 1) Are we too far into the F10 process for this?
>
> It's a fairly simple change. You can stick it in the current ks file and do
> a compose and test or if you want me to do that and post a image for further
> testing, I can.
>
>> 2) How does this interact with the default PolicyKit configuration?
>
> PolicyKit configuration should be tweaked to accept user password like you
> said but I don't know about the details much.
>
>
>> 3) How do other important OS vendors use sudo, is there a chance to
>> harmonize a bit?
>> 4) Does it still make sense to have a root password (and root account)?
>
> Are you asking about disabling the root account by default? Not possible
> without Anaconda changes and at this point, I wouldn't think about anything
> major for this release atleast.

I used to always lock the root account and use sudo myself, but AFAIK
the system-config-* tools for example can't be set up to use sudo
instead of the root passoword. (Debian, Ubuntu and Arch Linux, for
example, use gksu for similar tools, which can be configured to use
either.) Since I didn't want multiple ways to get root privileges and
I still wanted to use the system-config-* tools from the menu, I had
to stop using sudo. I quickly got used to using the root password,
though.

I don't mind if Fedora uses sudo or a root account for getting root
privileges, but I'd very much like it to be consistent. Ubuntu does
this by having every management tool support sudo and always asking
for the user's password. Fedora has always asked for the root
password, which I like, too.

I'm not a security expert, but I think it would be best to have just
one way to get root access. One important password. Or with sudo,
where I could just decide which users could run admin tools, instead
of just the users who know the root password.

What I wouldn't like is a mess where I would sometimes enter my own
password and other times the root password, depending on the tool. If
this could be avoided just by not opting in for the sudo setup during
the installation, that is ok.

This ended up being a little rant-ish, but well, I think adding sudo
to the default setup is not a small change and is worth being thought
and planned well ahead before doing it.

-- 
Joonas Sarajärvi
muepsj at gmail.com

More information about the Fedora-desktop-list mailing list