OpenSUSE -- insecure by default?

[smolloy]

I've just installed openSuse 11, my first suse install since 9.3, and, althought it's going quite well, I've been a bit surprised by some of their choices for defaults.

The first thing I noticed was that the installer has an option to allow me to use my user's password as the root password, and, even worse, this option was selected by default! Perhaps this is something borrowed from Ubuntu (where the first user added has full sudo access), but teaching users to only have the same password for their user as for root seems very insecure. In fact, it reminds me too strongly of Windows!

Another thing I cam across is that, by default, sudo requires the root password, not the user's password, in order to gain permissions. This seems like another strange choice for a default. If you're having to pass the root password out to users in order to use sudo, then what protection does sudo offer? Why don't they just use su? I thought the point of sudo was to allow some users escalated privileges, while keeping the root password sacrosanct?

Anyway, that's my rant over. Suse is otherwise quite slick, but I just thought those were a couple of strange default choices.

[bigtomrodney]

I agree on the use of the root password for sudo. This has been the case though with SUSE as far back as I remember. It does seem to defeat the purpose...