I realize that Kubuntu make an extensive use of the sudo tool. I see a couple of problems in its implementation. All in all, I personally feel that it's better to use the traditional "root vs. normal user" approach.

One issue is that Kubuntu automatically adds a new user (created via its GUI user manager) to the group named "admin," which has an entry in the sudoers file. That's how every new user can use sudo to perform superuser tasks. However, if you create a new user in another way (i.e. via "useradd") without knowing this mechanism, the new user will have no access to the su privilege because the "root" account itself is locked by default.

Another issue is that the Kubuntu approach (IMO) is inherently dangerous in terms of system security. How safe is it when every user - novice or experienced - has access to the privilege to perform ALL su tasks? It is very easy to render the OS useless by editing some system files incorrectly. That's why the root privilege should never be treated casually... at least IMO.

The main Linux system my wife and I share runs CentOS. She does not know the root password, and she's comfortable with it. That way, both she and I know that if the system gets messed up, it's not her.

I am aware that it is possible to unlock the root account. In fact, I've already done that. As someone who administers 10+ UNIX/Linux servers at work, I am very uncomfortable not being able to "su". :)

What do you guys think?

in a world of desktops and laptops, sudo is an absolute necessity.
in a server context, of course, you can easily get by without it.
the vast majority of the installations are "personal".
so, it doesn't make much of a difference whether or not you have a root password.
in those contexts where a pc is shared by more than person, though,
i agree that having to enter the root password provides better security.
you can do that with sudo, though, mac-os style...
m2cts.

The main Linux system my wife and I share runs CentOS. She does not know the root password, and she's comfortable with it. That way, both she and I know that if the system gets messed up, it's not her.
What do you guys think?


I think that it's never her fault. How long have you been married? Tell her everything, take the blame, what is the matter with you? Not telling "herself" anything is much worse than any root permission problem you may envisage.

Go out and buy her some flowers. Make dinner. Above all, do not show her this post.

in a world of desktops and laptops, sudo is an absolute necessity.
in a server context, of course, you can easily get by without it.
the vast majority of the installations are "personal".
so, it doesn't make much of a difference whether or not you have a root password.
in those contexts where a pc is shared by more than person, though,
i agree that having to enter the root password provides better security.
you can do that with sudo, though, mac-os style...

Thanks for your comments. You've reminded me that Mac OS X uses the same mechanism. (I activated root on my Tiger, though. LOL)

I still wonder about account creation via CLI. Well, I guess those who resort to "useradd" instead of GUI are expected to know what they're doing...

man useradd in a console, or man:useradd in Konqueror and you'll learn what you need to know.

man useradd in a console, or man:useradd in Konqueror and you'll learn what you need to know.


I am fairly familiar with "useradd." My concern, as I expressed above, is that creating an account via "useradd" will not add the new user to the "admin" group unless you explicitly choose to via command-line parameters. As the result, the new user will not be able to sudo, and since root is locked, there's no way he/she will be able to perform superuser tasks.

I still wonder about account creation via CLI.
Well, I guess those who resort to "useradd" instead of GUI are expected to know what they're doing...

or use adduser, tailoring its behaviour in /etc/adduser.conf.
that should (hopefully) do what you need.

One issue is that Kubuntu automatically adds a new user (created via its GUI user manager) to the group named "admin,"

Actually, kubuntu shouldn't do that. That is 'add a new user to the admin group automatically with the GUI'. And it doesn't on my machines.

Giving users administrative powers is a task that should be done explicitly, not automatically. By default, out of necessity, the first user created during installation is added to the admin group, but not subsequent users created.

or use adduser, tailoring its behaviour in /etc/adduser.conf.
that should (hopefully) do what you need.


That's great stuff. Thanks! I was wondering how to change the upper UID/GID limits for system users. (My UID is 501 on all other Linux machines at home while by default Kubuntu considers it a system user ID.)

Man, I learn new things every day. 8)

(My UID is 501 on all other Linux machines at home while by default Kubuntu considers it a system user ID.)


By default, in *ubuntu, only the first user established on the system - the one who did the installation - is part of the admin group. Any other user that is added and that you want to be able to function with sudo privleges, must be explicitly added to this group.

(My UID is 501 on all other Linux machines at home while by default Kubuntu considers it a system user ID.)


By default, in *ubuntu, only the first user established on the system - the one who did the installation - is part of the admin group. Any other user that is added and that you want to be able to function with sudo privleges, must be explicitly added to this group.


Kubicle mentioned that as well. That's obviously my misunderstanding. :)

However, that has nothing to do with what Ubuntu / Kubuntu considers system user/group IDs. If you create a new user using its system settings tool, it will try to assign a user ID above 1000. In order to display "system" users/groups, you will need to check "show system user/group" checkboxes.

I don't really like the sudo system. I think this would be the best feature Ubuntu/Kubuntu could add and that is the option of using either sudo or the traditional 'su' (su or root account). Why isn't this implemented? I think more people would give one of the *ubuntus a chance.

I know I started branching off to other Debian-based distros which didn't use sudo. I got tired of always having to type 'sudo' after 'su' didn't work. In addition, I sometimes get help with Linux problems and some of my helpers are not sudo/Ubuntu fans so...

I think this would be the best feature Ubuntu/Kubuntu could add and that is the option of using either sudo or the traditional 'su' (su or root account).Why isn't this implemented?

Do you mean during installation? One can revive the normal root account fairly easily after installation (although it's not recommended).


I got tired of always having to type 'sudo' after 'su' didn't work. In addition, I sometimes get help with Linux problems and some of my helpers are not sudo/Ubuntu fans so...
You can use 'sudo -i' command instead of 'su' to get a root shell, and if you like, you can create an alias for su -> sudo -i and use 'su' just the same as with a root account.

alias su='sudo -i'
in your ~/.bashrc should do the trick (after starting a new shell or resourcing .bashrc)

Note: 'Safer' way would be to use a different alias like:

alias sus='sudo -i'
As su and sudo's additional options are not necessarily compatible

I hate it, I used SuSE/OpenSuSE for you & the root system used in that never bothered me, I like it alot better really, I unlocked root here, but the GUI apps. won't take the new root pass.

I hate it, I used SuSE/OpenSuSE for you & the root system used in that never bothered me, I like it alot better really, I unlocked root here, but the GUI apps. won't take the new root pass.


On Kubuntu, kdesu is a symlink to kdesudo. To restore the traditional kdesu do this as root:
rm /usr/bin/kdesu
ln -s /usr/bin/kdesu.distrib /usr/bin/kdesu

Of course, the use of sudo or su like anything else in Linux is a choice, a blessing, and a curse all rolled up into one.

At first, I didn't like "sudo", for all the reasons mentioned - extra keystrokes and the like. However, "sudo" does give the user as much power as is needed to alter the core of the Linux installation as "su" does. The one very good aspect of "sudo" is that it only gives you that power for as long as you need it and as long as you limit the use of options like "sudo -s" you have less of a possibility of leaving your system open to unwanted problems. Have you ever done an "su" or "su -" and forgot to exit out? I have. Let's just say I was uncomfortable with the vulnerabilities that an uncontrolled "su" or "su -" present

If it really bothers you, there are options as noted above.

I don't forget to exit the root shell or root, though. I don't like that Ubuntu thinks they figure you'll forget. That's a Microsoft mentality.

I think Ubuntu should offer both types of accounts if they're going to do that. For people who think they might forget and people who are certain they won't forget.

I also don't really understand kubicle's post. I don't think it should matter whether it's recommended or not. Switching to the 'su' method shouldn't be an issue or problem. But, that's just me... Other than that, there are things about Ubuntu I like but the sudo restriction is one I definitely DON'T like.

The actual point is that "sudo" is the default setup for *buntu. It is possible to set *buntu up for "su" usage - it's not prohibited behavior, nor is it default behavior. It's just the way the system is Other distros have different defaults, including some that are outrageous - but that's just my opinion.

Congrats on NEVER forgetting to exit from root usage. That's a good discipline - not all of us are as good at it as you seem to be.

Kubuntu will use sudo, and that's not about to change anytime soon. It's one of the things that defines *ubuntu.

As it is fairly easily changed, the whole idea of reviving 'root' is rather unnecessary.

Here again we talk about root access, and as I see it us who grew up in the unix plan and linux from 1994 where you neeed root access and depended on it, having to over come the windows thinking of "you cant know that".

i think it's time all linux user's grow up and take the power in hand and learn how to handel it. i don' t need kubuntu staff telling me what i can and can't do with my root account. that is very much a windows thing and as i read these post's all the new user's back the staff. so i say to them bay a book and read it.

also i wanted to say i only use root account and i never had a problem.
because i've been using linux since 1994 when it first came out.

Keyman

Great topic. As a longtime sysadmin and user of su and sudo I know that both are very useful and "BOTH ARE NEEDED". The difference here is the default behavior. The first thing I do on a Kubunto system is
"sudo -s" followed by passwd so I have an accessible root account for recovery purposes.

Kubuntu has added a great recover menu system, but even it brings you down to the need for a root password.

sudo is also needed to allow users to do some things and not others. It is also very useful in Kubuntu for getting root power in a GUI tool.

Bottom line? Kubuntu provides both to a knowledgeable user, which is better than old time where many were unaware of sudo, and a reasonable default for systems that are designed to be "new user friendly". I get exactly what I want. I love Linux.:)

Here again we talk about root access, and as I see it us who grew up in the unix plan and linux from 1994 where you neeed root access and depended on it, having to over come the windows thinking of "you cant know that".

The unix systems I've seen in my time were never logged into as root routinely. Admins did it, when necessary, but never hanged around as root.


i don' t need kubuntu staff telling me what i can and can't do with my root account.
How did you come up with that...anyone who has used linux for 6 months (or knows how to google) can enable the root account in a matter of minutes. The recommendations are directed at general populace, not at you specifically.


also i wanted to say i only use root account and i never had a problem.
That may well be, but what works for you != works for everyone. I've seen a few systems wrecked by careless use of the root account. I've also met a few people who "only use root account" (some of them have done it for years), and none of them have ever been able to give a single valid reason or use case why it would be beneficial to do so.

You have the power and the freedom to run your system(s) as you see fit, and linux distributors have the power and freedom to offer their system defaults as they see fit.

The unix systems I've seen in my time were never logged into as root routinely. Admins did it, when necessary, but never hanged around as root.

when i was one of them ("admins", i mean) we even used to have wrappers around "su".
anyone wanting to substitute user to root, had to enter a description of what they were doing it for.
"su -" would be fired only after the short form was filled in and logged.
it worked very well.

there is one reason why i unlock the root account on (my) ubuntu systems, though.
it has nothing to do with the argument of the op.
rather, it's got to do with security.
anyone booting an ubuntu system, off a standard grub setup, in single user mode, can get straight in as "root".
no password asked (obviously).
system owned.
home: no problems (hopefully).
office: problem.

m2cts

anyone booting an ubuntu system, off a standard grub setup, in single user mode, can get straight in as "root".
no password asked (obviously).
system owned.
home: no problems (hopefully).
office: problem.

True, but there are problems with that approach as well.

1. Even if you have set a root password to "close" the recovery mode, anyone that can edit grub boot options can get a root shell >> system owned.
2. Even with a grub password, anyone that can access bios can boot from a liveMedia >> system owned.
3. Even with a bios password set, anyone with a screwdriver can disable the bios password >> system owned.
etc.

Root password doesn't really protect a computer in an open environment, the only real protection can come with encryption and limiting physical access to the hardware. Having a root password for the recovery mode can protect from unintentional access, but doesn't stop anyone who intends to get in as root.

EDIT: I'm not uniformly against unlocking the root password, provided that you know what you're doing and have a *real* reason for doing it (one reason could be that you wish to set sudo to ask for the root password instead of user's password). I can even sort of understand unlocking it just because one's used to it, but that's hardly a reason to suggest that everyone should do it...or that it should be a distro default.

True, but there are problems with that approach as well.

...

Root password doesn't really protect a computer in an open environment, the only real protection can come with encryption and limiting physical access to the hardware. Having a root password for the recovery mode can protect from unintentional access, but doesn't stop anyone who intends to get in as root.

of course.
yeah.
totally agree.