[sf-lug] GKsu has long been EOLed

Akkana Peck akkana at shallowsky.com
Sat Feb 16 18:49:46 PST 2019


Rick Moen writes:
> And, if you think about it, the way Ubuntu and similar distributions use 
> sudo is pretty questionable from a security standpoint, too:  It
> conditions the user to think of root privilege as just a bureaucratic
> detail with a command prefix, and not even requiring a separate
> password.  IMO, it makes root mishaps _more_ likely, not less.

Quite right. In fact, I used to use su rather than sudo for
root-level operations, and my root accounts use bash without all my
nice zsh aliases, because I deliberately want to keep root a little
less pleasant to use -- and with a different prompt, as you mention later.

But lately the ease of sudo, combined with an increasing number of
common user actions that require root, has suckered me into
(ab)using sudo a lot more. There are just so many normal user
actions that require root under Debian's default configuration:
suspend, poweroff, reboot, dmesg, read various /var/log files, read
the WPA config, configure the network (via command line, not
desktop), install a package. If you're using some big bloated
desktop, these don't need root, but from the command line, they do,
unless you reconfigure your systems in ways that are poorly
documented and different for each action.

I've configured some of these not to need sudo, and this discussion
inspired me to look up a few more, and to start a collection of some
ways to configure the system so as to need root for fewer of the
common user actions:
http://shallowsky.com/linux/sudo-abuse.html

But there are still some actions where I can't avoid root access:
notably wpa_supplicant and DHCP when initializing a network on a
laptop that isn't always connected, and reboot and poweroff on
Raspbian, which has this elaborate polkit setup that no one seems to
grok. If anyone knows of ways around those, I'd love to hear them.

        ...Akkana



More information about the sf-lug mailing list