From 5bacd60b22e4d0d9c507f6bdb84d92e41a5802b6 Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen@aminda.eu>
Date: Mon, 12 Jan 2026 11:24:15 +0200
Subject: [PATCH] n/essentialsoftware.md: a few more words on sudo

---
 n/essentialsoftware.md | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/n/essentialsoftware.md b/n/essentialsoftware.md
index d707284..980693e 100644
--- a/n/essentialsoftware.md
+++ b/n/essentialsoftware.md
@@ -48,6 +48,7 @@ _{{ page.excerpt }}_
   - [BTRFS](#btrfs)
   - [Swap](#swap)
   - [sudo](#sudo)
+    - [The `sudo` lecture for reference](#the-sudo-lecture-for-reference)
   - [systemd presets](#systemd-presets)
   - [Debian](#debian)
     - [sources.list](#sourceslist)
@@ -571,14 +572,20 @@ just a matter of `sudo swapon -a`
 
 ### sudo
 
-- https://codeberg.org/Aminda/shell-things/src/branch/cxefa/etc/sudoers.d
+- [sudoers.d in my "shell-things" (dotfiles)](https://codeberg.org/Aminda/shell-things/src/branch/cxefa/etc/sudoers.d)
 
 Consider these:
 
 ```sudoers
-# Thanks Tails
+# Thank you Tails, for first leading me to these:
+
+# Always ask for password
 Defaults timestamp_timeout=0
+
+# Display asterisks when entering passwords (as opposed to nothing)
 Defaults pwfeedback
+
+# When using sudo, always display the lecture (see below Arch)
 Defaults lecture = always
 ```
 
@@ -592,6 +599,27 @@ Additionally Arch Linux should consider either
 #%wheel ALL=(ALL:ALL) ALL
 ```
 
+#### The `sudo` lecture for reference
+
+```txt
+We trust you have received the usual lecture from the local System
+Administrator. It usually boils down to these three things:
+
+    #1) Respect the privacy of others.
+    #2) Think before you type.
+    #3) With great power comes great responsibility.
+```
+
+I consider the second point especially important and wonder if it could save
+less experienced users from clickfix by looking scary.
+
+In my root shell, I like to append
+
+> Additionally you shouldn't be logging in as root directly.
+
+while I keep doing it anyway, but that is bad for auditing purposes as there
+will not be a trace in logs who did what as root unlike with `sudo`.
+
 ### systemd presets
 
 You are practically **_guaranteed horrible time especially on Debian_**, unless