"Computers make very fast, very accurate mistakes."

Ubuntu 5.10 - Comments

Thursday 27th October 2005

Categories: Reviews, GNU/Linux, FLOSS

All comments not written by free-bees.co.uk are owned by the author, and free-bees.co.uk is in no way responsible for their content.

1. Submitted by Russ, Friday 28th October 2005

Let me start by saying I enjoyed reading your review, good job.

However, I think your description of Ubuntu's method of handling root privileges is a bit misleading, and makes it sound much less secure than it actually is.

Your description gives the impression that the primary user basically runs with root privileges all of the time. This is not the case. The user has the ability to use sudo to do jobs the require root privileges. When the primary user doesn't type sudo before a command (or enter his password into a dialog box for a gui app) that user has the same privileges as any other user on this or most other Linux systems.

Now whether this is more or less secure than the standard method of using a root account is up for debate, and I'm not about to try to take one side or the other in that argument, but I will say that it is much more secure than the system as you describe it in your review. I will also say that I've been using Ubuntu for almost a year now and haven't felt the need to switch back to the more common method of using a root account - and I am a fairly security conscious type (my Firefox is configured to block cookies, ads, javascript and flash, except when I choose to allow them on a site-by site basis, if that helps to show what type of user I am).

For more on how superuser privileges are handled and some on the rationale behind the approach Ubuntu takes on it (as well as a fair look at both the advantages and disadvantages of the approach), see https://wiki.ubuntu.com/RootSudo

2. Submitted by LarsBj, Friday 28th October 2005

Nice (well Ok) short review. I agree with all your points except one, which I have seen almost every other reviewer of Ubuntu get wrong (in my opinion) as well: The issue of being root or not.

Now, I'll admit that Ubuntu's default arrangement where this is concerned might be unusual, but only by comparison to the norm in other distributions. I think they have made a wise choice, taking the whole "root thing issue" out of the picture for new Linux users, which IMO is a good thing - it lowers the barrier. Now, as a somewhat experienced Linux user, I actually *also* find this arrangement a good thing, for shere convenience.

Here's the point you (and most others) are getting wrong: The first user does NOT (repeat NOT) run with root privileges! And therefor does NOT present a security risk.

The arrangement is such, that whenever the first user needs to do something "dangerous" like installing a package, which requires root privileges, they are PROMPTED for their own password, and from then on are carrying out their task with SUDO - root privileges. Only THEN do they have root privileges, and this arrangement is *no different* (IMO) from having to log on as root and do your thing, not from a security standpoint, but what it DOES allow, is for the user to have to deal with one less password, and one less concept (the root thing), which IMO is a *good* thing.

There you have it. I'm sure wiser people than me will take this apart, but I think it's an important point, and one that I continually see people cite to the detriment of Ubuntu, which I think is just plainly unfair. So: Well done Ubuntu! I think you got this one right as well (apart from producing a fantastic distro that Just Works(TM))

Sorry for the lengthy comment :-)

3. Submitted by Anonymous, Friday 28th October 2005

What you say about root privileges is totally incorrect.

What actually happens is that the 1st user is simply added to the group which is able to run sudo. Yes, that group is called 'admin' but it doesn't confer any special/root privileges on the user - bar the ability to run 'sudo'

4. Submitted by Anonymous, Friday 28th October 2005

I am ok with ubunto 5.10. You mention that root password can be set in the command line. Would you tell me how to do that. I would like to set one because sometimes I want to change or delete some files and I get "you are not the owner of this file(s)".

5. Submitted by Mike, free-bees.co.uk, Friday 28th October 2005

In response to #4:

Simple - when in a terminal, simply type sudo passwd root. You will then be prompted for your password, and then you can enter a new root password. Alternatively, you can type sudo before a command, and that command will be executed as though you were the root user.