Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Not to my knowledge. ROOT = GOD on Unix/Linux systems. Once a user knows the root password, the only way to limit that user is to change the password. You can set the users on your system up to use sudo instead. It's a much better way to allow temp root privileges for certain users.
In addition to what jthill said I would add that your first problem is that unauthorized people know the root password.
You can remedy this problem as jthill said by using sudo. That way you put the name of the authorized user account into the /etc/sudoers file and that person only needs to know their own password to do whatever they need to do that requires privileges. This way you don't share the root password with anyone and the authorized person cannot tell others the root password.
It's not a fool proof system but it is better than telling one person the root password and then that person shares the password with unauthorized people, if that is what is happening.
To add to what was said above, the sequence is this:
1. install sudo,
2. configure sudo so the user who need root access can get it using sudo
3. Educate the sudo user about the sudo command needed to do the job
4. change the root password to something NO ONE ELSE KNOWS
5. wait for the panic calls from the users who should never have had root access, complaining that it went away.
If you do not change the root password AND keep the new one secret, you will not have solved the problem.
This takes some chops. If you own the machine, this is no problem. If you have a boss, if those who just lost root authority complain to the boss that they can no longer work because of the change he MAY order you to reverse this! You need to have informed him about what you are doing and have his support FIRST in this case. If you have no boss or ARE the boss, get it done yesterday.
Been there, done that, buried the melted phone beside the parking lot in an unmarked grave. (But made the new policy stick, and improved uptime by a 9!)
Couldn't any user defeat the SU_WHEEL_ONLY option by just logging in as root? In other words, logout of the system completely and then login as:
pw: <root password>
I still say the root password makes anyone GOD on a Linux system. Am I wrong?
In principle, one could disable ssh root logins and lock the machine up somewhere (no console access) and turn off all other remote login services so that people could only login via ssh. Then people could not login directly as root (at least not in any way I could think of -- /bin/login appears to require root privs already to work). Still, the point remains that untrusted users having the root password is a very bad thing. Still, a good reason to disable su is so that even trusted users have to use sudo, which provides much more fine grained access control.
Since the real problem is that other users know the root password, the first step should be to change the root password.
You can configure sudo to use the users password instead of the target password (root's password) to allow trusted regular users to run some root commands but not learn the root password.
If you don't lock down the sudo configuration, users can get around it by running "sudo /bin/bash" or a shell escape in vim, but the first command would be logged, and they would have to remember to edit the log.
If the regular users only need to do things like mount external drives, and eject media, instead of giving them sudo access, consider using PolicyKit instead.
Look at the "polkit-auth" command or the KDE/Gnome policy editors.