Web lists-archives.com

Re: Adding/modifying users under MATE DE




On Tue 05 Feb 2019 at 09:54:43 (-0500), Dan Ritter wrote:
> David Wright wrote: 
> > On Tue 05 Feb 2019 at 08:21:16 (-0500), Greg Wooledge wrote:
> > > On Mon, Feb 04, 2019 at 08:21:40PM -0700, Thomas D Dial wrote:
> > > > When in doubt about questions like this it often is helpful to consult
> > > > man pages, which often are available on the Web if you don't want to
> > > > install the necessary packages that includes them. In this case, if sudo
> > > > is installed, the man page for sudo also will be there, probably along
> > > > with those for sudoers and visudo, although I could be wrong about the
> > > > last.
> > > 
> > > The sudoers(5) man page is ridiculously complex, as is the format of
> > > the /etc/sudoers file.  For 99% of Debian users, it's also completely
> > > unnecessary to know it.  Just make sure your primary user account is in
> > > the sudo group, and you will be able to run ANY command with sudo, being
> > > prompted for your password if you haven't used sudo on that terminal
> > > in the last few minutes.
> > 
> > Sure, but what's the difference between that and opening an xterm with
> > (the overspecified)   /bin/su -   where you don't have to keep typing
> > a password every few minutes.
> 
> sudo doesn't require you to know the root password, only your
> own password. So if you share sysadmin duties with a team of
> people, none of them need to know the root password (which can
> be set to something very long, written down, put in a safe
> deposit box, and not thought about again until your calendar
> reminds you to double check it). 
> 
> sudo also allows you to grant certain users the right to run specific
> commands with the privileges of other users, again verifying themselves
> with their own passwords. Say you have some software which must
> be run as a particular user, but you want several people to be
> able to use it. Don't give them the special user's password;
> give them all the right to run it via sudo, and don't give them
> other privileges.

Yes, that's why I went to the trouble of posting some lines from my
sudoers file so that it can be painlessly used in that way. For
well contrained commands (like checking the email outbound queue),
you don't even want to have to type any password. With sudoers it's
easy to allow yourself free access to a command but only if certain
switches are present. For example you might allow
$ sudo /sbin/gdisk -l /dev/sd?
but require a wake-up call to use gdisk unfettered. It's not
necessarily about knowing or not knowing the root password, but
protecting yourself against doing damage when you're lazy or tired.

> If it's a single-user machine, you can just remember the root
> password and use su -- unless you use sudo at work, in which
> case, keep using sudo everywhere.

I know we've debated here who and who isn't a sysadmin, but I'm
assuming Greg's 99% aren't all sysadmins in a working environment.

Cheers,
David.