sudo by default?

[Yaakov Nemoy]

2010/5/6 Paul W. Frields <stickster at gmail.com>:
> On Wed, May 05, 2010 at 02:52:15PM +0200, Lennart Poettering wrote:
>> On Wed, 05.05.10 10:22, Yaakov Nemoy (loupgaroublond at gmail.com) wrote:
>>
>> >
>> > 2010/5/4 Lennart Poettering <mzerqung at 0pointer.de>:
>> > > BTW: another reason to enable sudo by default is to unify things a
>> > > little across distributions: to my knowledge Ubuntu (and related
>> > > distros) set up sudo like that. It would be nice if folks coming from
>> > > their would have an easy path to administrating Fedora systems.
>> >
>> > I disagree with this logic. It's too much like the 'if your friends
>> > all jumped off the brooklyn bridge, would you do it too?' logic
>> > parents use to convince kids not to do drugs.
>>
>> Well, it might come as a surprise to some, but actually Ubuntu is not
>> just a bunch of imbiciles, and it kinda annoys me that whenever
>> something comes from or is done in Ubuntu, people saya: "well, if Ubuntu
>> does it, then it is questionnable because they don't know what they do
>> and their distro is only used by noobs".
>>
>> Well, that's simply bullshit.
>
> I think Yaakov said in the paragraph right after the snip above that
> he was simply not 100% convinced the implementation Ubuntu chose is
> correct, not that they were imbeciles.  Yes, analogies are generally
> bad.

Thanks Paul. This is correct. Just to be clear, i think Ubuntu's
policy of giving the first user automatic sudo access is not the best
way to do things. I don't mean to say that it hasn't been thought out
by experts, and i definitely don't mean to say that it's insecure in
any way. I will say that it doesn't educate users properly and gives
users a false expectation of what good security is.

One of the tricky things about these kinds of security policies where
the most likely error you can get is E_PEBCAK is that there is
theoretically no such thing as absolute security. When you define a
security process intended to be secure, you have to take into account
what the users were using before hand to understand their expectations
of the computer. If they expect things to be widely open, they will do
their worst to go around a more locked down security policy, thus
negating its effectiveness.

When i mention that i find Ubuntu's policy dubious, it's in connection
with the idea that an Ubuntu user will eventually try out another
distribution. Having a single non-root user with full access to the
system via sudo isn't bad per se, but it denies you the ability to
make fine grained control without work. It's ok for desktops. I think
the seperation of root from the rest of the users via PolicyKit and a
number of other mechanisms is far better for a wide variety of
scenarios, including desktops. Assuming the user will have a hard time
discerning the real difference between Ubuntu and Fedora in practice,
you need a way that the user's expectations from Ubuntu can be thrown
into Fedora and vica versa. You also don't want to compromise your
ability to use PolicyKit effectively.

In order to accomodate these two conflicting needs, i seperated this
into two types of reasons the user might need root access, and at
initial account creation time, a simple radio dialog can handle the
two needs. To just follow Ubuntu's direction is bad for the reason
that we create an either/or situation. I'm proposing a 'both'
situation. And yes, Paul is correct; analogies are bad.

-Yaakov