Oh. And before any of you lay any blame on the maintainers of these open source project.
How many of you have blindly installed stuff by running curl | sudo bash ?
Did you verify the binaries and the code the bash script ran/installed? How did you confirm trust on those binaries?
Xz is the oss supply chain attack we know about. You can guarantee there are many many more. How we manage installation, and dependency's should perhaps have a little more thought...
@quixoticgeek `curl | sudo bash` is horrifying on so many levels. Projects that suggest this as an install method are immediately suspect to me.
While I'm on a rant, the Ubuntu style "sudo for everything from the default user account" is disturbing as well. Day-to-day user accounts should NOT have root access, full stop.
@allpoints @quixoticgeek to be fair in Ubuntu you can control which users have sudo access. So if you're security minded you can turn that off.
There's probably a better option that has something that lets users add/remove packages but doesn't have all the other privileges.
It's not much effort, but you don't want everyone to be able to do su root
@themself @quixoticgeek yes, you absolutely can configure sudo access. But the default Ubuntu install automatically gives full access to the user account it creates on install. It could, e.g. create a separate "admin" acct. It's why you see tutorials that prepend every command with `sudo`
Re configuring sudo. Heads up systemd breaks the use of 'localhost' in the config file as it no longer maps back to 127.0.0.1
@allpoints @themself the defaults with sudo suck. Even worse are the systems where sudo doesn't even need a password. I don't understand the point of having to put sudo in front of a command, but not ask for a password seems pointless.
@quixoticgeek @allpoints agree on the defaults aren't secure. I also don't get why you wouldn't prompt for a password, that's so crazy that you may as well not bother with sudo!