Web lists-archives.com

Re: [SOLVED] Re: Security hole in LXDE?




On Mon, 6 Mar 2017 19:36:40 +0000
Brian <ad44@xxxxxxxxxxxxxxx> wrote:

> On Mon 06 Mar 2017 at 18:59:18 +0000, Joe wrote:
> 
> > On Mon, 6 Mar 2017 13:40:45 -0500
> > Greg Wooledge <wooledg@xxxxxxxxxxx> wrote:
> >   
> > > On Mon, Mar 06, 2017 at 06:31:46PM +0000, Joe wrote:  
> > > > Debian appears to use the group 'sudo' as an administrative
> > > > group, where some other distributions use 'wheel'.
> > > > 
> > > > I would not have thought that users would be added to it by
> > > > default, there are no members on my sid/xfce4 workstation.
> > > > Indeed, up to Jessie, sudo was not installed at all by default,
> > > > and may still not be.    
> > > 
> > > If you use the regular Debian installer, the user account that you
> > > create during installation gets added to a lot of these special
> > > groups (sudo, cdrom, floppy, audio, video, ...?).  Users that you
> > > create post-installtion using adduser or useradd do not.
> > >   
> > 
> > New behaviour, then, my current sid was installed as wheezy, I added
> > sudo manually early on, but as it was not installed by default, it
> > would not have added the installing user to a sudo group. I'm
> > certainly not a member of that group, and have no wish to be.  
> 
> The "first user" is not in the sudo group. The place to check this
> is the templates file in the user-setup-udeb package.
>  
> > Possibly I'm missing something, but doesn't this repeat the Windows
> > mistake of automatically giving the user admin privileges? Isn't
> > that the main reason for the existence of so many Windows viruses?  
> 
> Look at it this way. The "first user" wishes to set up a printer. Is
> it better for the user to be granted very limited privileges by being
> in the lpadmin group or to become root to carry out the task?
> 

Who said anything about lpadmin? The question is about the wisdom of
automatically including someone in the sudo group, which in a default
Debian sudoers file, gives full root privileges to everything, using the
user's password.

We have someone saying this happens, someone else saying it doesn't, I
don't know as I haven't done a recent installation, and the thread was
started by someone who says it did happen to him.

-- 
Joe