I absolutely agree. Linux is not suited to home use, where the owner, and often sole user, is performing user tasks and administrator tasks, often mixing the two in the course of normal use.I think the point is that doas and sudo are generally worse because they conflate the user, the dog developer and administrator into one account.
In my opinion the opposite approach would be better. Rather than adding more privilege to a user account by means of a bunch of setuid programs, what one really needs is a security model that allows a user to set up sandboxing and limited execution environments without needing superuser powers.
Here's the thing though. You might have created only one user and only ever login as that user but Linux is inherently multiuser. /etc/passwd on the "single user" Pi 5 next to me right now has 39 entries.* The vast majorty of those, while standard, exist primarily for reasons of security.
However, if strict differentiation is enforced, it will inconvenience and even alienate home users, will encourage them to do everything via 'root' as the easy option, the only usable option.
Passwordless 'sudo' is an attempt to make life easier for such home users but often turns 'sudo' into being perceived as a mere "please".
Passwordless sudo is evil. We likely have it because it was simpler than having to educate users new to both Pi and Linux (and coming from a windows background) about the whole Linux/Unix owner, group, and permissions system. Though at the time it was made we still had a default user and password that the world and his wife knows so, arguable, requiring the default user's pasword would have added little to no protection.
If you think "evil" is too strong, consider this: There seems to be a lot of Pi in publically accessable locations running kiosks that are a web browser on top of a logged in full desktop.** If I plug in a keyboard or device than can emulate a keyboard I now have unrestricted root level access.
Passwordless sudo, especially for the default auto login user is a huge security problem. Even MS Windows pops up a dialog box before going ahead with escalation whether it needs a password or not.
Decisions were made based on the original target audience and original purpose of the Pi - to get kids coding - and we're still dealing with the fallout from that.
Pi were designed to create coders not sysadmins so while I disagree with some of the decisions I can see why they were made.
It seems there are better ways it can be done but if those ways aren't explained to home users, the better ways aren't encouraged, even enforced, nothing is going to change.
For some values of "better". Plus the general Linux philosophy seems to be "There are 37 ways of doing something. Not everyone agrees on which are the right and wrong ways. We do it using method 23 but we won't stop you using methods 13 through 19 which almost everyone agrees are the wrong way or some other method if you want to."
*: wc -l /etc/passwd
**: I'd expect ones created and sold for this purpose by any of the big names to not be configured that way but last time I checked that's the way the official kiosk mode tutorial tells you to set it up.
Statistics: Posted by thagrol — Wed May 01, 2024 6:15 pm