openSUSE: Post-install for workstations

Configure sudo

Configuring sudo lets users perform administrative actions without logging in as the root user. This increases security and auditabillity, which is ideal for a multi-user system.

Add yourself to the wheel group

Users in the wheel group will be able to run commands as root. You can add users to the wheel group through YaST or with the command below. You may need to log out and in again for this to take effect.

sudo usermod -aG wheel users

Edit /etc/sudoers

It is recommended to use visudo to catch mistakes. Run sudo visudo, and change the following:

/etc/sudoers
Defaults targetpw ALL ALL=(ALL) ALL %wheel ALL=(ALL) ALL

If you make a mistake, you can run su to log in as root.

Disabling the root account

When sudo works correctly, you can lock the root account for additional security.

Ensure you have another way of accessing the root account, such as through sudo with your user's password. Otherwise, you will need to use a recovery medium to access the root account.

Run the command below to lock the root account:

sudo passwd -l root

To undo this, boot from a recovery medium, mount and chroot to your root partition, and run passwd.

Configuring kdesu

kdesu is used by KDE and openSUSE to launch applications with root privileges. By default, it asks for root's password, but you likely want it to do as sudo. To make kdesu ask for the user's password instead, run:

kwriteconfig5 --file kdesurc --group super-user-command --key super-user-command sudo

Media codecs and more from Packman

Considerations

Software from Packman is not in the standard repositories for a reason – see Restricted formats on the openSUSE Wiki for more information.

You're also installing software from a third party that could be distributing malware. The latter risk can be somewhat mitigated by setting a lower priority for the repository, which prevents Packman from changing packages like systemd or bash.

Adding the repository

The commands below will add the Packman repository with a lower priority than the standard repositories. Run the command appropriate for your system – see /etc/os-release.

Tumbleweed
sudo zypper addrepo -fp 100 http://packman.jacobs-university.de/suse/openSUSE_Tumbleweed/ packman
Leap 15.0
sudo zypper addrepo -fp 100 http://packman.jacobs-university.de/suse/openSUSE_Leap_15.0/ packman
Leap 15.1
sudo zypper addrepo -fp 100 http://packman.jacobs-university.de/suse/openSUSE_Leap_15.1/ packman

At some point, you will be asked to trust the key. You can tell zypper to always trust the key with a. The correct key has fingerprint F8875B88 0D518B6B 8C530D13 45A1D067 1ABD1AFB (as of 16 Febuary 2019).

Installing software from Packman

First, you should switch some of the packages you already have installed to Packman with:

sudo zypper dup --from packman --allow-vendor-change

When installing software from Packman, you may need to use the --from packman flag to override the standard repositories.

For example, to install x264, FFmpeg, and some GStreamer plugins from Packman, run:

sudo zypper install --from packman x264 ffmpeg gstreamer-plugins-bad gstreamer-plugins-libav gstreamer-plugins-ugly