Hi, I will start off with a no, but let's get through this ;)
I am happy to see this discussion. I started to thought that I was the only one complaining about the way root/sudoers/authentication-in-yast works in openSUSE/SLE.
I personally find Stasiek’s current proposal bad for UX, since getting asked more than one time for the password is more frustrating than getting asked only one.
I find the proposal reasonable in case of polkit, sudo mode would enable user to execute administrative stuff only for some time, with limitless amount of changes. This way if admin performs all the changes they need to do within the timeframe, they do not have to enter the password more than one time, but when they leave to do other stuff, and forget to close any of the modules, third party can't just change stuff without knowing the password (assuming they show up after the time has run out). Any other model leaves the possibility to run stuff on behalf of root user without a limited timeframe, with the possibility to be compromised by another person in the office, or requires a lot of passwords to execute anything, which is frustrating and pointless considering existing solutions (ie Polkit) already fix that. You could introduce automated closing of YaST windows after some time of inactivity, but considering that Wayland doesn't allow you to track user's activity outside of the application, it wouldn't work very well with it...
It is good to hear different voices and opinions, since I think that to find the right way to do it, we have to find consensus of what we want, what basic users want, what system administrators want... I already raised this conversation with Ludwig and even created 2 tickets in fate. But, fate was closed and the tickets lost.
You can still view the tickets https://features.opensuse.org/ ;)
My proposal was to add a user group “admin” by default, add the first user to this group and remove the setting “Defaults targetpw” from /etc/sudoers This way, a user in the group admin would have root rights with its password, which is expected for an admin account. Giving and removing root rights to a user would be so simple as adding it to and removing it from the admin group. sudo can do all the job. If an account is compromised, it can be disabled and removed from the group without affecting other users.
How does that differ from suggested route with wheel? It's a group of users with permissions to do "admin stuff", which is present on almost every Linux, BSD and Unix system. Assuming that the first user is admin is not a viable way to deal with it, it would be better if it was an option during installation user creation. And in any case, you can remove or disable any user if you got permissions to do so.
I would be against disabling root user by default. I think root should be available for emergencies, rescue system, etc. But, I think root should not be used as the system administrator user.
Also shouldn't have the same password as the first user by default, if we are going the wheel route.
With sudo rules, it can be avoided that a user executes jumping privileges programs, like vim. Instead of that, the filesystem permissions should be used to allow an admin user make modifications. Configuration files under /etc would need to have group owner “admin”, so that an admin user can execute vim as non-root to edit the file. Of course such think needs to be carefully planned and audited by security experts to cover holes.
This is going a little far, especially since you are probably expecting to run various applications with that user, which is not going to be safe if you just let them access everything without asking questions. This also extends third party access issue outside of su windows, it's a bad idea.
What do you all think?
I want to make linux desktop distributions more user friendly (not only geek/IT-scientist friendly), and for that we need to make UX "non-geek first". The defaults need to be the best possible for them, but always allowing the experienced user to set up the things different. Specifically I am thinking on Leap. Tumbleweed isn’t a good candidate for non-geeks, but Leap is. I think that it is ok that Tumbleweed is aimed for geeks. If not possible to change Tumbleweed nor SLE, I will at least beg to change Leap in that regard.
SLE is the base for Leap, I doubt that this important part of system would be changed without taking care of it everywhere. Also Tumbleweed is a great daily driver for anybody (at least we are trying our best to make it be like that, with testing), you should try it out ;) LCP [Stasiek] https://lcp.world -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org