Comment 7 for bug 378862

The purpose of the firstlogin script seems to me to be to perform a series of initial system configuration tasks that require user interaction. I think that no user unable to execute the script should be able to login before the script has run since the person logging in should have the wherewithal to handle any decision-making processes required.

Allowing "regular" users to login before the script has run might leave the system in a semi-configured state that would not be helpful for those users.

The modified sudoers file would work but, again, there is no guarantee that the first user to log in will actually be able to make the right decisions during the script's execution.