Total access to the system
I encounter a questionable question again:
How can you give total access to the system to a user other than root? * Make the user a member of the root group. * Change the UID of the user to 0. * Add the user to the /etc/sudoers file. I think none of these are correct answers. Am I right or wrong? Please comment. |
A UID of 0 is root; you can't give that to a normal user. Pretty much what you are saying is to log in as root.... Adding your user to the sudoers file is the way to go.
Cheers, Josh |
Seem the last one is the most relevant answer. Maybe I am just paranoid. I think just adding the user to /etc/sudoers is not enough, you must write it properly to give it all privileges.
|
Although usermod cannot change a normal user's UID to 0, editing /etc/passwd directly can do this. Logout and login, the normal user just becomes root. So, the second answer may also be correct?
I see this question from Redhat Skills Assessment from their web page. |
Yes, but now you need to think about this.... Why give someone else full system rights, when you have root that does already? Can't you share the root account if you need two system administrators? To do what you want to do is technically pointless.
|
But I do see what you are saying though; If you really want to do that, you could edit the /etc/passwd directly like you said and drop 0 UID to each user you need to.
|
Just be pedantic at the question. In practice, sure we won't do that, which will bring more trouble.
|
Quote:
And I posted for a second time right before you posted that, not sure if you read that or not. |
Quote:
I mean I won't change a normal user's UID to 0 even if I can. You might mean the whole question. I think it is still useful to do that. In practice, I grant all privileges to a normal user in /etc/sudoers to avoid always logining as root. Maybe there are better and safer practices? |
i personally use the /etc/sudoers and have a group i have created in there and only assign the user that need the rights to that group saves me from having to go in to the file every time and give me better control over who there as i can quickly and easily see who is in the group and i know that group and that group only has rights to use sudo. mind you this may be a bit high on the admin side setting up a group but i feel this would be the safer way and i might be wrong about it and if i am please someone correct me. also for any one that interested you might want to read up on the best practices for sudo
http://www.linuxplanet.com/linuxplan...orials/7165/1/ |
Thanks for the link. I see the default configuration for Ubuntu and Fedora both using a group for sudoers. Only user in that group can gain root privileges, respectively admin and wheel group. But privileges are not fine-grained. I think that should be enough for Desktop usages, but may not for a cluster of servers.
|
Quote:
Code:
Cmnd_Alias ADMIN = /bin/,\ |
Why doesn't this work? sysop can still visudo or su.
Code:
# User alias specification Code:
# User alias specification |
Please give me a bit to go over this and look at my system see why this would not work. i will edit once i come back with a answer that is a strange issue just for reference what dist are you using. what groups do you have sysop in as well.sorry about the delay i took the weekend off to go surf.
I been testing it a bit please ignore the user name being misspell i had gotten the user created and well i did not feel like deleting it and recreating it just for a misspelling since it only a test. i set up a user sysyop and put this user in the admin group giving it all sudo commands then changed the sudoers file as shown below. first code i tried just a a proof of concept. this worked Code:
# User alias specification Quote:
Code:
# User alias specification Quote:
Code:
# User alias specification Quote:
Code:
# User alias specification Anyone looking at this please note this was only tested on ubuntu i can not say how it will react on different system. |
I tested your examples and they work like your results. Have you tested my first example? It won't prevent sysop to sudo or su. My sysop is not in any special group. I retested with a more generic sudoers file:
Code:
Defaults env_reset I noticed in sudoers(7) that Cmnd_list does accept "!" symbol. So the syntax is correct. I also noticed in the examples of sudoers(7) all the command aliases do not use "!", they use "!" in user specification lines, and this just works OK. I have not read the whole man page of sudoers. Looking into the source code may help? |
All times are GMT -5. The time now is 03:19 PM. |