sudo by default?

Jesse Keating jkeating at redhat.com
Tue May 4 22:02:39 UTC 2010 

On Tue, 2010-05-04 at 23:36 +0200, Lennart Poettering wrote:
> On Tue, 04.05.10 14:07, Jesse Keating (jkeating at redhat.com) wrote:
> 
> > On Tue, 2010-05-04 at 16:56 -0400, William Jon McCann wrote:
> > > Hey,
> > > 
> > > So what is our view of setting up sudo by default for standalone
> > > systems?  Probably has some relationship with the systems on which we
> > > prevent root logins.
> > > 
> > > It is worth noting that many of us have to set up ourselves each time
> > > we install Fedora.  Might be nice if something like it was done by
> > > default.
> > > 
> > > Is sudo the right answer or should we be thinking about pkexec?  Thoughts?
> > > 
> > > Thanks,
> > > Jon
> > 
> > I like sudo, it is a more traditional tool than pkexec.  While it does
> > remove the need from having to know the root password, it doesn't
> > obviate the need for a root user who has all the fun.  Sudo would just
> > get you access to some/all of it.
> > 
> > That said, I think it would be useful in our new user creation that if
> > we said that this user is the local admin (for whatever that does to
> > your policykit settings) we also grant them sudo access.  Probably the
> > best way to deal with this is not to munge the /etc/sudoers file, but
> > instead ship a config file that allows for a certain group or pk role to
> > have sudo rights, and then when we create the user(s) we either add them
> > to that group or role or not.  That way they can pick up sudo rights
> > without us having to modify the rpm shipped config file.  But now I'm
> > off in implementation land...
> 
> the default sudoers already contains a commented line that makes sudo
> work for the venerable wheel group that way. I'd suggest simply enabling
> that, as it is the path of least surprise to most, I'd guess.
> 
> BTW: another reason to enable sudo by default is to unify things a
> little across distributions: to my knowledge Ubuntu (and related
> distros) set up sudo like that. It would be nice if folks coming from
> their would have an easy path to administrating Fedora systems.
> 

Making the wheel group uncommented is indeed one step toward the
solution.  The second step would be appropriately populating that wheel
group.  That's going to require change on the user creation wizard.

However I was curious what the thoughts were on having rights management
be done both at the policykit level, as well as the traditional unix
group level.  Is that a (technical) design issue?

-- 
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/desktop/attachments/20100504/6401f4d7/attachment.bin

More information about the desktop mailing list