On Wed, May 26, 2010 at 11:38:48PM -0400, J wrote:
> On Wed, May 26, 2010 at 20:38, Scott <scottro@nyc.rr.com> wrote:
> > (As for the link on that page, to the page on paths, that has become
> > irrelevant. Fedora now includes all the /sbin paths in a normal user's
> > profile.)
>
> By the way, thanks for pointing that out Scott... every time my friend
> at Red Hat gives me grief for working for Canonical, I throw things
> like this back in his face ;-)
Well, you still have the update without authentication bug. :)
Although now, it's only Fedora, possibly through your friend's
intervention, since no one seemed to notice before that, it's been fixed
in RH. However, in Fedora, the developer has basically said, if ya
don't like it, use something else. (I'm drastically paraphrasing, but.)
https://bugzilla.redhat.com/show_bug.cgi?id=577070
Now, what's interesting is that everyone seems to think that it was
fixed after the big fiasco when the install and upgrade without password
made slashdot and distrowatch. As F13 comes out, I've mentioned it a
few times, and several have told me, No, it's fixed--so I say, AHA, it
hasn't been. My hope is that it makes slashdot again.
>
> However, that being said, /sbin and /usr/sbin are part of the first
> user created in Ubuntu. I believe that in Ubuntu, and I'm going to
> guess that in Fedora it's the same thing, the assumption is that the
> first non-root user is an admin and thus members of adm in Ubuntu, or
> it's equivalent in Fedora (is that wheel?, I don't recall).
Heh, wheel is for distributions like Arch, Gentoo, and the BSDs. The
ones that figure their users have some intelligence. The wheel group
does exist, one can edit /etc/pam.d/su to make it so that only wheel can
su to root, but it's not used by default. I'm not sure what they do
with the first user created by default, as I always do a very minimal
install, where one only creates a root password, then add a user
(including adding them to wheel, audio, and video, but I do it
manually.)
If you do a default install, however, upon first boot after install, you
create a user--root can't log into the default GDM session.
>
> For users created after that, though, their path still includes /sbin
> and /usr/sbin, but does not include group membership, so even though
> they can execute the apps in those places, they can't actually do
> anything beyond getting usage...
See above. I'm not sure. At work as well, where we have a few Fedora
machines, users are created manually.
>
> in Ubuntu, my primary user (part of the adm group) can run them, but
> still needs sudo to do anything systemic.
>
> And in reality, I want to say that this behaviour, at least as
> pertains to $PATH, has been around for a while now.
>
> BUT, that being said, personally, I'd just prefer to not have normal
> users $PATH contain those directories at all.
I reckon that's from growing up with RH. Although I started with the
desktop distros, e.g., RH, Mandrake, and Caldera--remember them, I think
they were SCO before SCO turned evil--I really began getting deeply into
it with Gentoo and then the BSDs. All of these give the user full
$PATH. AIX doesn't. Both BSD and Gentoo, however, only allow wheel to
su to root by default.
>
> Personally, non-admin users shouldn't even be able to read directories
> outside of /home/$USERNAME beyond maybe /var/cache, /var/spool, and
> /tmp (unless there's a app specific need I'm not thinking of).
I'm not sure. It's probably best in a really serious environment.
FreeBSD, for example, lets an ordinary user read /var/log/messages and
/var/log/maillog, though I don't think they can write to them. On the
other hand, back in the day, before Windows, Unix was what ordinary
users had too. MS used to worry about Unix compatibility, now of
course, it's the other way around, and somewhat ironic that if one has
an external drive used to manually move files between Mac and Linux, the
easiest thing to do is use Fat32 or NTFS. :)
--
Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6
Buffy: Believe it or not, Jonathan, I understand about the
pain.
Jonathon: Oh, right. 'Cause the burden of being beautiful and
athletic, that's a crippler.
No comments:
Post a Comment