Web lists-archives.com

Re: [SOLVED] Re: Security hole in LXDE?




On Mon 06 Mar 2017 at 19:57:25 +0000, Joe wrote:

> On Mon, 6 Mar 2017 19:36:40 +0000
> Brian <ad44@xxxxxxxxxxxxxxx> wrote:
> 
> > On Mon 06 Mar 2017 at 18:59:18 +0000, Joe wrote:
> > 
> > > On Mon, 6 Mar 2017 13:40:45 -0500
> > > Greg Wooledge <wooledg@xxxxxxxxxxx> wrote:
> > >   
> > > > On Mon, Mar 06, 2017 at 06:31:46PM +0000, Joe wrote:  
> > > > > Debian appears to use the group 'sudo' as an administrative
> > > > > group, where some other distributions use 'wheel'.
> > > > > 
> > > > > I would not have thought that users would be added to it by
> > > > > default, there are no members on my sid/xfce4 workstation.
> > > > > Indeed, up to Jessie, sudo was not installed at all by default,
> > > > > and may still not be.    
> > > > 
> > > > If you use the regular Debian installer, the user account that you
> > > > create during installation gets added to a lot of these special
> > > > groups (sudo, cdrom, floppy, audio, video, ...?).  Users that you
> > > > create post-installtion using adduser or useradd do not.
> > > >   
> > > 
> > > New behaviour, then, my current sid was installed as wheezy, I added
> > > sudo manually early on, but as it was not installed by default, it
> > > would not have added the installing user to a sudo group. I'm
> > > certainly not a member of that group, and have no wish to be.  
> > 
> > The "first user" is not in the sudo group. The place to check this
> > is the templates file in the user-setup-udeb package.
> >  
> > > Possibly I'm missing something, but doesn't this repeat the Windows
> > > mistake of automatically giving the user admin privileges? Isn't
> > > that the main reason for the existence of so many Windows viruses?  
> > 
> > Look at it this way. The "first user" wishes to set up a printer. Is
> > it better for the user to be granted very limited privileges by being
> > in the lpadmin group or to become root to carry out the task?
> > 
> 
> Who said anything about lpadmin? The question is about the wisdom of
> automatically including someone in the sudo group, which in a default
> Debian sudoers file, gives full root privileges to everything, using the
> user's password.
>
> We have someone saying this happens, someone else saying it doesn't, I
> don't know as I haven't done a recent installation, and the thread was
> started by someone who says it did happen to him.

I'll reconstruct my previous response. If there is no root password,
sudo is installed and the "first user" is put into the sudo group.

-- 
Brian.