On 06/26/2015 at 03:40 AM, Arno Schuring wrote: > Hi, > >> Date: Thu, 25 Jun 2015 21:46:33 -0600 From: b...@proulx.com >> >> The Wanderer wrote: >> >>> In which case I return to my original comment on that point: >>> although there might be situations where this setup could make >>> sense, they would _not_ be for the casual user. As a setup for a >>> sole computer intended to be administered by its sole user, this >>> is simply a crazy design. >> >> I, like you, feel that being able to log in using a root password >> is an essential requirement. However it is also true that Ubuntu >> is designed for the non-technical and Ubuntu has chosen to disable >> the root password by default and to provide sudo as the root >> access method. Although I agree with you that it is crazy I have to >> admit that there are a lot of Ubuntu machines out there with root >> login disabled. > > Having a single root account for administration is also bad from an > accountability viewpoint: it's essentially an anonymous account. > Having user-based accounts allows for much better control and > transparency over "who did what". > > So while you think it is crazy to have to use sudo on a single-user > machine,
I didn't say anything about the use of sudo. I said that it's crazy to _prevent logging in as root, entirely_. Relying on sudo for "normal" machine administration is a mostly reasonable idea (although it's not really more secure than using root for the same thing, if you only have one account whose password might get leaked anyway). I do have my issues with sudo, but it has its use cases, and they are far more common and less crazy than cases where entirely disabling the use of the root account is a sane thing to do. > I think it's similarly crazy to enable the root account on machines > that are administered by multiple people. Even if true, this would not be the common case, particularly for a distro targeted foremost at the ordinary user the way Ubuntu is; the vast majority of people running it will be the sole, or at least overwhelmingly primary, user of their machine. > The root account should be limited to emergency use only, True! But it should still be available for use in those emergency situations, which locking it does not permit. > and when your threat model doesn't include having to defend against > physical access, the Debian approach of locking the root account and > allowing passwordless login through sulogin is a perfectly reasonable > and valid setup. For the unusual case of "no physical access, multiple users who are supposed to be able to do root-like things", yes, this can be reasonable and valid. But that is not remotely a common case (and I don't get the impression it's the case for the person who started this thread), and even there, I would argue that you should leave the root account enabled; you should just _not hand out the root password_, and (probably) log and report every time root logs in. -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw
signature.asc
Description: OpenPGP digital signature
