The Separate User "admin" Plan.
- Add a new user
admin. - User
usernot being member of groupsudo/suetc. - Root login stays disabled. (Already done.) (Restrict root access)
- To gain root rights:
- Users are advised to login as user
adminand then usesudoas documented on Prevent Malware from Sniffing the Root Password, OR - Boot into “sudo mode”.
- Users are advised to login as user
- No (good) password for user
userrequired. (Except, if SSH login is permitted.) - Good password only required for user
admin.
Boot into “sudo mode” meaning:
If users choose “sudo mode” in grub boot menu, the system would boot and login the user into user admin rather than user user. User admin would have root. After users are done, these are advised to reboot to continue using user user.
(And those who don’t like it could continue using user admin (bad) or sudo addgroup user sudo (slightly less bad).) [1])
Not sure the cumbersomeness usability wise is acceptable. Could poll about that. Could also poll about various alternatives.
[1] Using user user is an anonymity feature. → GitHub - Kicksecure/dist-base-files: base files for distributions - several important miscellaneous files, such as /etc/hostname, /etc/hosts, /var/lib/dbus/machine-id and more
How? An attacker (let’s say some compromised user account) cannot use su since not member of group sudo. Well, could try to bruteforce the password of user admin? That may be possible until we can port to wayland.
Agreed.