[OLPC devel] su/sudo or not to sudo/su (was PATCH: add --loginpause to mingetty)

[Iain (OLPC) Davidson]

Bernardo,

FYI,
I just recently updated from build 650 (G1G1 factory build) to
Update.1675.  Noticed a different behavior for accessing
*root account* and functions.

I used to be able to open Terminal (or Ctrl-Alt-Neighborhood) and the
following at the unix/bash prompt.

$  su -
  or
$  su -l

But now, after the update, those don't seem to work.  But I did discover the
alternative method..

$  sudo  <command>

I typically like the solution of
$ sudo bash

for several root level commands.

QUESTION:
    Which direction is OLPC/XO Laptop headed for doing updates and
installation of software ?

One could also, limit the programs which can be run under 'sudo', as another
solution.

Issue is definitely complex and no easy solution apparent !
-Iain


On Jan 9, 2008 4:20 PM, Bernardo Innocenti <bernie at codewiz.org> wrote:

> Hello Florian,
>
> the attached patches add an option to pause login until the user hits
> a key.
>
> We need something like it on OLPC because:
>
>  - we don't want to set an empty password for either user root or olpc
>
>  - at the same time, we want to allow users to login as root at the
>   console
>
>  - finally, we do not wish to waste memory on shells the user hasn't
>   yet used
>
> The security model we are implementing is very different from UNIX: we
> ultimately trust the user at the console, but we don't trust applications
> and we don't want them to gain root privileges using su or sudo with no
> password.
>
> I'm committing these changes to the OLPC-2 branch of mingetty in
> Fedora CVS.  Please, let me know you'd like to merge them or
> something similar.
>
> --
>  \___/
>  |___|   Bernardo Innocenti - http://www.codewiz.org/
>  \___\  One Laptop Per Child - http://www.laptop.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.laptop.org/pipermail/devel/attachments/20080110/a1bc533e/attachment.html>