Easy to use/install (was Re: [Novalug] Community contribution)

DonJr djr1952@hotpop.com
Wed Jan 23 15:41:06 EST 2008


On Wed, 2008-01-23 at 10:16 -0500, Megan Larko wrote:
> DonJr wrote:
> 
> Hello Don,

Hello

> > On Tue, 2008-01-22 at 08:30 -0800, Beartooth wrote:
> >> On Tue, 22 Jan 2008, greg pryzby wrote:
> >>
> 
> <SNIP--megan>
> > 
> > <SNIP>
> > 
> >>  	Apart from that, however, if you don't mind retyping your 
> >> password every time you turn around (a/o you've used Megan's 
> >> blessed trick of giving it a root password so you can keep a root 
> >> tab handy on your terminal), I have to admit it *has* been easy.
> > 
> > Are the other simple choice to the file /etc/sudoers add or adjust the
> > following entry:
> >     # Members of the admin group may gain root privileges
> >     %admin  ALL=(ALL)  NOPASSWD: ALL
> > 
> > Add the "NOPASSWD:" part to the entry.
> > And make sure that your normal userid is a member of the group admin.
> 
> Cool Don!  I had not thought of doing that.   I also don't think that I 
> would have entered the line correctly either.  Like Beartooth, I hated 
> having to sudo for my sysadmin stuff.   Moreover, sometimes even with 
> sudo, I could not do that which I wanted to do.  For some reason  I 
> still received a  "permission denied" error message.   All of that went 
> away when I created a genuine root user.     My concern about the above 
> is security.   Please see comment below.

This is why I like the 'sudo -i' it gives you a root prompt must the
same as "su -" use to do on older systems.

> > 
> > The GUI type application will no longer ask you for your password and
> > when using 'sudo' from the command line it won't either.
> > 
> > And the easiest and most simplest way to open a root shell is:
> >    sudo -i
> > in a terminal.
> 
> My security concern is that the above may be too easy.  I do not allow 
> direct root login to my systems (other than "rescue" or "emergency" 
> boot).   I have a user or users who have permission to escalate to root. 

The above still requires that the user is a member of the "admin" group.

>   Even then, I leave it such that the root password must be entered.  I 
> maybe behaving in a slightly paranoid manner here, but the systems 
> belong to that of my company.   I prefer to give a little more security 
> especially when it is easy to do so.

Without the "nopasswd:" addition the "sudo -i" still works and the
password the user is required to remember is there own.

The only three main difference between a "root login" and "sudo -i" are:
  1 - The user must first login as there normal userID,
      one with admin level privlages.
  2 - with sudo the user is required to only know there own password
      {by default}
  3 - By default after 15 minutes sudo will require to reenter your
      password.  {by default}
  
With a properly configure pam everything else is the same.

> > 
> > NONE of my Ubuntu based systems currently have the "root user" password
> > set and yet I open a root prompt as needed and never get asked for a
> > password.
> > 
> > BTW
> >   Using the "Xubuntu Expert" version of the installer it asked me if I
> > wanted to SET the "root password" and IF I wanted to enable X logins as
> > the root user.
> 
> Good to know.     I haven't tried that yet either.
> 
>     <SNIP  megan>
> 
> Thanks Don!





More information about the Novalug mailing list