configuring sudo by default (was: Re: Today's (9/12) rawhide all users = unable to authenticate user!)

[Nigel Jones]

On Sun, 2008-09-14 at 17:09 -0400, Seth Vidal wrote:
> On Sun, 2008-09-14 at 13:26 -0600, Stephen John Smoogen wrote:
> > On Sat, Sep 13, 2008 at 6:58 AM, Seth Vidal <skvidal at fedoraproject.org> wrote:
> > > On Sat, 2008-09-13 at 08:06 -0400, Matthew Miller wrote:
> > >> On Sat, Sep 13, 2008 at 02:02:12PM +0200, Thorsten Leemhuis wrote:
> > >> > But a checkbox with a text "User is the sysadmin for this system" might
> > >> > makes sense in firstboot -- that checkbox could not only configure sudo
> > >> > and/or PolicyKit access but also do other things like setting up a alias to
> > >> > /etc/aliases to make sure the user in question retrieves the mail send to
> > >> > root.
> > >>
> > >> If we do this (and I'm for it), we should make this work by uncommenting the
> > >> wheel group in /etc/sudoers, and having said checkbox add the user to the
> > >> wheel group.
> > >
> > > I don't like the wheel group way into sudoers. Not the least of which
> > > because the wheel group, on systems which are using some other form of
> > > nss than local files, can be mucked with too easily.
> > >
> > 
> > Any solution is going to be fragile in the case of a network'd
> > computer. Unix permission scheme was never designed with that in mind.
> > So
> > what is the 80% use solution? Of the fedora users, are 80% covered by
> > local files or using nss_XXX? I am not for wheel or against it.. I
> > just figure we should look at what is the majority use scheme and work
> > around it for the rest.
> > 
> 
> 80% is the entry gets added to /etc/sudoers by the user addition
> interface if 'make this user an admin' is checked.
> 
> I think the entry would look like:
> 
> username ALL=(ALL)    
I agree, I've filed an RFE as bug #462161
(https://bugzilla.redhat.com/show_bug.cgi?id=462161), forgot to mention
it previously.

- Nigel
> 
> -sv
> 
> 
> 
-- 
Nigel Jones <dev at nigelj.com>