|
Changing Root and Sudo pass
Might be a dumb question but is making the root password different from sudo password a good idea? I read that sudo obfuscates the root's password, so Idk if changing the root pass would interfer with that, or reduce security.. Also how would I know which setuid programs query other setuid programs in order to complete it's operation, is it hinted or referenced somewhere in the man pages? And would the targetpw flag in visudo negate the need for querying passwd? Thank you in advance!!
|
The sudo password is that of the user invoking the sudo command so it should not be the root password. In other words if user1 is issuing a command with sudo then user1 would use his/her password not root's. That is the purpose of sudo, so a normal user can execute a command as root without being root and no need to know the root password.
|
Thanks for the reply but why then on Ubuntu does the first user that's created with the installation use the default password (pass you setup during installation) for both sudo and root.. Of course I know that other users should not use the root password for their sudo, but for the admin is it ok? I guess it should be since it does this by default, but would changing either the sudo or root pass so that their not the same make it more secure?
|
There's no such thing as a 'sudo password' (as far as I-newbie-too know)!
It is *the user's*, different for each user. (like a website verifying YOUR pwd [to edit profile]) From this (#7) it looks like Ubuntu doesn't ask for a root password! Strange...other 'distro's do. Can someone explain (what's Ubuntu's *root* password?) Oh: it's "locked", so *su* (not meaning sudo) &login as root won't work. Apparently, it's possible to: sudo passwd root (to give root a password you choose) |
The general idea behind using "sudo" is that of least privilege. Accounts should have just enough access to get their jobs done, no more, no less. The way many distros apply "sudo" doesn't make that obvious because they just open the system wide open by default instead of providing a demo of the granularity available in "sudo"
I have no influence on the direction Ubuntu and Linux Mint take but if I were setting the defaults for /etc/sudoers, I would propose something like this for the initial default: Code:
%sudo ALL=(root:root) /usr/sbin/visudo ""Code:
%sudo ALL=(root:root) /usr/bin/apt-getThere's more, but "sudo" is surprisingly advanced. Michael W Lucas covers it in his presentation sudo : you're doing it wrong and in his fairly concise book, sudo Mastery. Those two resources can be skimmed quickly to find the parts interesting for you, then you can dig deeper in the manual page for sudoers Code:
man sudoers |
OK ok mybad I remember sudo is just a group and by default the first user would be in that group (but why if their already in the admin group?) and then you enter your own user password.. And I meant Mint I apologize, but you can login to Ubuntu as root with sudo -i..
|
Quote:
For that reason, it is a good idea for Ubuntu users to always make a second account and use that second account for daily activities, leaving the first account only for when administration is necessary. Same for Linux Mint and others that have the same defaults. |
Quote:
|
Quote:
|
|
Quote:
|
Quote:
|
Quote:
|
Quote:
|
Interesting stuff indeed, but I think it would just make people more Linux/GNU aware, and would inspire trying out different distros as a result. But idk everyone seems so content with Mac and Windows regardless..
|
Quote:
|
Yup, that's just the way it is :/
|
Here is another thing about sudo. If you do not want your users to ever become root you need to lock sudo so they cannot sudo into a shell. Reason being is once issuing the command (bash in this example) sudo bash they become root. Sudo is very powerful is used correctly and very dangerous if used incorrectly.
|
Quote:
|
Quote:
|
I was aware sudoers had a whitelist in env_keep and env_check but I dont know how to edit that.. I'll look into those resources you mentioned thank you.
|
Quote:
so the question to that person would then be, how do you lock down a sudo file when the only one allowed to edit it is them that have been given either the root password ot sudo rights. even then within the sudoers file you can limit what a sudo user can do. so all ya got a do is take away, that right to edit the sudo file. ok I just created a user jumped into that user and did Code:
sudo bashCode:
[shithead@voided ~]$ sudo bashso what ya mean LOCK DOWN the sudoers file? sounds like a ruse to me. |
Quote:
|
Quote:
Quote:
Locking down "sudo" means whitelisting actions. If you want someone to get root shell, you simply add them to a group that can do so. The following line does that and more for the group sudo: Code:
%sudo ALL=(ALL:ALL) ALLCode:
%sudo ALL=(root:root) /usr/sbin/visudo ""However, even with the admin and webmasters examples above, there are probably ways around "apt-get" itself and maybe Apache via the configuration files. The former could certainly be more compartmentalized. However, "sudo" is a helper for people you already trust. If you don't trust them, they should not be working for you. And as far as intruders go, they've already gotten in too far and you missed detecting them in time. |
Quote:
|
Quote:
|
No void here. Just making people aware that not locking out execution of shells will still allow a user to gain more privileges then what they want them to have.
|
Quote:
|
| All times are GMT -5. The time now is 12:52 AM. |