Web lists-archives.com

Re: [SOLVED] Re: Security hole in LXDE?

On Mon, 6 Mar 2017 20:47:50 +0000 (UTC)
Curt <curty@xxxxxxx> wrote:

> On 2017-03-06, Joe <joe@xxxxxxxxxxxxxx> wrote:
> >
> > Who said anything about lpadmin? The question is about the wisdom of
> > automatically including someone in the sudo group, which in a
> > default Debian sudoers file, gives full root privileges to
> > everything, using the user's password.
> >
> > We have someone saying this happens, someone else saying it
> > doesn't, I don't know as I haven't done a recent installation, and
> > the thread was started by someone who says it did happen to him.
> >  
> I've only used the installer up to and including Wheezy and have
> always created a root password. But if I hadn't (created a root
> password) then I suppose I would've been included in the sudo group
> with full administrative privileges. If not, how would or does the
> person installing the OS (who is therefore, ipso facto, IMO, the
> administrator of the machine) do anything administratively? And what
> difference would it make security-wise to put the "first user" in the
> sudo group when she or he could have gotten there anyway by simply
> creating a root password and foregoing sudo altogether? Or am being
> stupid here, missing something obvious?

A member of the sudo group has permanent root privileges. He might as
well simply login as root every day, and not bother with another user.

My understanding of the use of the sudo group was for multiple server
admins, not workstation users.