On 11/8/22 19:15, Carlos E. R. wrote:
On 2022-11-08 17:46, Michael Ströder wrote:
On 11/8/22 13:36, AW wrote:
...
Scenario: User needs to install new printer without admin-PW. So 'sudo' would become a lesser 'su': Users in the wheel group have some priviledges. Including installing a printer, adding a new wifi network and so on.
For security reasons you don't want to add the normal desktop user to wheel group. Or do you want that?
Could you expand on this, please?
If some reconfiguration needs broad root access then IMHO the user should know the root password - for now. (Hmm, IIRC the Yast installer already suggests to set a common password for the first end-user and root which is somewhat debatable too.) One could differentiate this policy further for certain commands but this needs proper considerations for various use-cases.
If we can not add the normal user to the wheel group, then what can we do?
A user can be added to the wheel group if root on this system decides to do so. But it should probably not be the default configuration. As said I don't have a silver bullet at hand to solve all possible use-cases with one simple policy change. This needs some collective thoughts.
I have seen comments against wheel for decades, even in documentation, but never an explanation. It really depends on what 'wheel' group members are authorized to do on a particular system. A sudoers entry for broad root access would IMHO be dangerous if normal desktop users are in 'wheel'.
Ciao, Michael.