Total access to the system
 

I encounter a questionable question again:

How can you give total access to the system to a user other than root?

* Make the user a member of the root group.
* Change the UID of the user to 0.
* Add the user to the /etc/sudoers file.

I think none of these are correct answers. Am I right or wrong? Please comment.

A UID of 0 is root; you can't give that to a normal user. Pretty much what you are saying is to log in as root.... Adding your user to the sudoers file is the way to go.

Cheers,

Josh

Seem the last one is the most relevant answer. Maybe I am just paranoid. I think just adding the user to /etc/sudoers is not enough, you must write it properly to give it all privileges.

Although usermod cannot change a normal user's UID to 0, editing /etc/passwd directly can do this. Logout and login, the normal user just becomes root. So, the second answer may also be correct?

I see this question from Redhat Skills Assessment from their web page.

Yes, but now you need to think about this.... Why give someone else full system rights, when you have root that does already? Can't you share the root account if you need two system administrators? To do what you want to do is technically pointless.

But I do see what you are saying though; If you really want to do that, you could edit the /etc/passwd directly like you said and drop 0 UID to each user you need to.

Just be pedantic at the question. In practice, sure we won't do that, which will bring more trouble.

What do you mean?

And I posted for a second time right before you posted that, not sure if you read that or not.

That question is not from my needs, but a question from Redhat Skills Assessments.

I mean I won't change a normal user's UID to 0 even if I can. You might mean the whole question. I think it is still useful to do that. In practice, I grant all privileges to a normal user in /etc/sudoers to avoid always logining as root. Maybe there are better and safer practices?

i personally use the /etc/sudoers and have a group i have created in there and only assign the user that need the rights to that group saves me from having to go in to the file every time and give me better control over who there as i can quickly and easily see who is in the group and i know that group and that group only has rights to use sudo. mind you this may be a bit high on the admin side setting up a group but i feel this would be the safer way and i might be wrong about it and if i am please someone correct me. also for any one that interested you might want to read up on the best practices for sudo

http://www.linuxplanet.com/linuxplan...orials/7165/1/

Thanks for the link. I see the default configuration for Ubuntu and Fedora both using a group for sudoers. Only user in that group can gain root privileges, respectively admin and wheel group. But privileges are not fine-grained. I think that should be enough for Desktop usages, but may not for a cluster of servers.

That is right by default the sudoers file is set up to give the group admin all however you can Specify what commands a user is aloud to run. For instance if i was to make a group called tech i could say they aloud to run all commands except for the su command as sudo i would put the following in my sudoers file.

this will restrict users in the tech group from using sudo to run the su command but can be further specified you could specify only the commands you want the user to use but this will become a big job for your admin team.

Why doesn't this work? sysop can still visudo or su.

But if I changed to below, it will work:

Please give me a bit to go over this and look at my system see why this would not work. i will edit once i come back with a answer that is a strange issue just for reference what dist are you using. what groups do you have sysop in as well.sorry about the delay i took the weekend off to go surf.

I been testing it a bit please ignore the user name being misspell i had gotten the user created and well i did not feel like deleting it and recreating it just for a misspelling since it only a test.

i set up a user sysyop and put this user in the admin group giving it all sudo commands then changed the sudoers file as shown below.

first code i tried just a a proof of concept.

this worked
result is that the user can run sudo vi but cant run sudo visudo.

Appears to work.

The next code i have tried was this.

The result for this is user still cant run visudo.

This seemed to work for me as well hopefully all this helps

i still doing some testing but if this has helped let me know .

Anyone looking at this please note this was only tested on ubuntu i can not say how it will react on different system.

I tested your examples and they work like your results. Have you tested my first example? It won't prevent sysop to sudo or su. My sysop is not in any special group. I retested with a more generic sudoers file:
But if you move the "!" before "ADMIN" in the last line will prevent sysop to sudo or su.

I noticed in sudoers(7) that Cmnd_list does accept "!" symbol. So the syntax is correct. I also noticed in the examples of sudoers(7) all the command aliases do not use "!", they use "!" in user specification lines, and this just works OK.

I have not read the whole man page of sudoers. Looking into the source code may help？