Web lists-archives.com

Re: [SOLVED] Re: Security hole in LXDE?

On Mon 06 Mar 2017 at 18:59:18 +0000, Joe wrote:

> On Mon, 6 Mar 2017 13:40:45 -0500
> Greg Wooledge <wooledg@xxxxxxxxxxx> wrote:
> > On Mon, Mar 06, 2017 at 06:31:46PM +0000, Joe wrote:
> > > Debian appears to use the group 'sudo' as an administrative group,
> > > where some other distributions use 'wheel'.
> > > 
> > > I would not have thought that users would be added to it by default,
> > > there are no members on my sid/xfce4 workstation. Indeed, up to
> > > Jessie, sudo was not installed at all by default, and may still not
> > > be.  
> > 
> > If you use the regular Debian installer, the user account that you
> > create during installation gets added to a lot of these special groups
> > (sudo, cdrom, floppy, audio, video, ...?).  Users that you create
> > post-installtion using adduser or useradd do not.
> > 
> New behaviour, then, my current sid was installed as wheezy, I added
> sudo manually early on, but as it was not installed by default, it
> would not have added the installing user to a sudo group. I'm certainly
> not a member of that group, and have no wish to be.

The "first user" is not in the sudo group. The place to check this
is the templates file in the user-setup-udeb package.
> Possibly I'm missing something, but doesn't this repeat the Windows
> mistake of automatically giving the user admin privileges? Isn't that
> the main reason for the existence of so many Windows viruses?

Look at it this way. The "first user" wishes to set up a printer. Is
it better for the user to be granted very limited privileges by being
in the lpadmin group or to become root to carry out the task?