Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've noticed that "su" can be run from any user account so long as the user knows the root password. What if I want to limit the ability to "su" to only 1 user account?
For example: Pretend my desktop has 4 different user accounts. Currently each user account could run "su" for root access if the person sitting in front of the screen knows the password.
My questions:
1) Could I somehow make only 1 of the 4 user accounts able to "su" into root mode?
2) If yes, then would doing so have any side-effects?
Thank you.
Click here to see the post LQ members have rated as the most helpful post in this thread.
You want "sudo", which lists who can do what in /etc/sudoers and /etc/sudoers.d. Don't let the manpage scare you, look at the examples towards the end or google for them.
sudo bash (or your preferred shell) works just as well as su.
Not to my knowledge. ROOT = GOD on Unix/Linux systems. Once a user knows the root password, the only way to limit that user is to change the password. You can set the users on your system up to use sudo instead. It's a much better way to allow temp root privileges for certain users.
In addition to what jthill said I would add that your first problem is that unauthorized people know the root password.
You can remedy this problem as jthill said by using sudo. That way you put the name of the authorized user account into the /etc/sudoers file and that person only needs to know their own password to do whatever they need to do that requires privileges. This way you don't share the root password with anyone and the authorized person cannot tell others the root password.
It's not a fool proof system but it is better than telling one person the root password and then that person shares the password with unauthorized people, if that is what is happening.
To add to what was said above, the sequence is this:
1. install sudo,
2. configure sudo so the user who need root access can get it using sudo
3. Educate the sudo user about the sudo command needed to do the job
4. change the root password to something NO ONE ELSE KNOWS
5. wait for the panic calls from the users who should never have had root access, complaining that it went away.
If you do not change the root password AND keep the new one secret, you will not have solved the problem.
This takes some chops. If you own the machine, this is no problem. If you have a boss, if those who just lost root authority complain to the boss that they can no longer work because of the change he MAY order you to reverse this! You need to have informed him about what you are doing and have his support FIRST in this case. If you have no boss or ARE the boss, get it done yesterday.
Been there, done that, buried the melted phone beside the parking lot in an unmarked grave. (But made the new policy stick, and improved uptime by a 9!)
I've noticed that "su" can be run from any user account so long as the user knows the root password....
Quote:
Originally Posted by vtel57
... ROOT = GOD on Unix/Linux systems. Once a user knows the root password, the only way to limit that user is to change the password...
both is not true. You can configure the su command in a way that only members of the group wheel are permitted to become root via su. Add the option "SU_WHEEL_ONLY yes" to your /etc/login.defs file.
Note that configuring for sudo (which is a very good solution) does not prevent anyone from using su to become root. So consider to do both (restrict su and configure sudo).
both is not true. You can configure the su command in a way that only members of the group wheel are permitted to become root via su. Add the option "SU_WHEEL_ONLY yes" to your /etc/login.defs file.
Couldn't any user defeat the SU_WHEEL_ONLY option by just logging in as root? In other words, logout of the system completely and then login as:
username: root
pw: <root password>
I still say the root password makes anyone GOD on a Linux system. Am I wrong?
Couldn't any user defeat the SU_WHEEL_ONLY option by just logging in as root? In other words, logout of the system completely and then login as:
username: root
pw: <root password>
I still say the root password makes anyone GOD on a Linux system. Am I wrong?
In principle, one could disable ssh root logins and lock the machine up somewhere (no console access) and turn off all other remote login services so that people could only login via ssh. Then people could not login directly as root (at least not in any way I could think of -- /bin/login appears to require root privs already to work). Still, the point remains that untrusted users having the root password is a very bad thing. Still, a good reason to disable su is so that even trusted users have to use sudo, which provides much more fine grained access control.
Since the real problem is that other users know the root password, the first step should be to change the root password.
You can configure sudo to use the users password instead of the target password (root's password) to allow trusted regular users to run some root commands but not learn the root password.
If you don't lock down the sudo configuration, users can get around it by running "sudo /bin/bash" or a shell escape in vim, but the first command would be logged, and they would have to remember to edit the log.
If the regular users only need to do things like mount external drives, and eject media, instead of giving them sudo access, consider using PolicyKit instead.
Look at the "polkit-auth" command or the KDE/Gnome policy editors.
I've noticed that "su" can be run from any user account so long as the user knows the root password. What if I want to limit the ability to "su" to only 1 user account?
Why did you tell the other users the root password, then? That's the whole point of a password: if you know it, you can get in.
Change the password and tell it only to the people who you want to be able to log in as root.
Hmmm - so based upon these replies - it might be possible to limit "su" to just one user, but would everyone agree that adopting the "sudo" instead of "su" approach be easier?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.