LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Sudoers (http://www.linuxquestions.org/questions/linux-newbie-8/sudoers-903228/)

Juc1 09-15-2011 04:05 PM

Sudoers
 
Hi all,

I know how to edit a file when logged in as root, but I think for security reasons root should not have shell access. So do I need to give my user account permission to edit files, and if so, do I do this in etc/sudoers?

Does this in etc/sudoers give josoap permission to edit files?

josoap ALL=(ALL) ALL

Thanks

TobiSGD 09-15-2011 04:12 PM

Normally you use the command visudo to edit that file, it will lock the file and check for errors after installing.
The line you gave will will allow the user to do everything in your system, not just edit files.

Quote:

I think for security reasons root should not have shell access.
Can you please explain that? Do you mean a remote or local access?

torchnw 09-15-2011 04:15 PM

Yes. ALL =(ALL) ALL gives you the same permissions as root ( when using sudo ).

You can also give those permissions to a group instead, and add any users to that, if you wish. Like this

%admin ALL=(ALL) ALL

T3RM1NVT0R 09-15-2011 04:24 PM

@ Reply
 
Hi there,

Quote:

josoap ALL=(ALL) ALL
Yes, the above will give user josoap full access on the system. Infact he will have same access as that of root. As I can understand you want to disable root's shell access but what difference above will make. I mean instead of root you are giving josoap full access on shell its just the name change from root to josoap.

Better way that I can think of is set a strong password for root user and add trusted people in sudoers with limited access.

Juc1 09-15-2011 04:34 PM

Thanks to all for your helpful replies. I forgot to say I am talking about a Debian VPS. I think it is not good for sudoers to give all permissions to the user like this...
josoap ALL=(ALL) ALL

...but I can instead give permissions for just particular commands such as apt-get. So instead of saying 'give all permissions to josoap' can I say in sudoers 'give josoap permissions to use apt-get and to edit files'? If so can anyone please tell me the correct sytnax?

Thank you :)

T3RM1NVT0R 09-15-2011 04:40 PM

@ Reply
 
Here is the link that will help you out: http://www.cyberciti.biz/tips/allow-...s-as-root.html

Here is another: http://www.sudo.ws/sudo/man/1.8.2/sudoers.man.html

Juc1 09-15-2011 05:23 PM

Quote:

Originally Posted by T3RM1NVT0R (Post 4472812)

Ok thanks for these links. Can anyone please tell me if this looks ok...

josoap ALL=/bin/kill, /usr/apt-get, /var/vi

...to mean that josoap can run the kill command from the bin directory, the apt-get command from the usr directory and can edit any file in the var directory (or at least any file that is editable by root).

Thank you :)

torchnw 09-15-2011 06:27 PM

Quote:

Originally Posted by Juc1 (Post 4472837)
Ok thanks for these links. Can anyone please tell me if this looks ok...

josoap ALL=/bin/kill, /usr/apt-get, /var/vi

...to mean that josoap can run the kill command from the bin directory, the apt-get command from the usr directory and can edit any file in the var directory (or at least any file that is editable by root).

Thank you :)

Not quite. AFAIK you can't specify a directory where you can edit the files. ( Maybe in the hostname entry, but I wouldn't know the syntax )

This line:

josoap ALL=/bin/kill, /usr/bin/apt-get, /usr/bin/vi

will let you run those commands with root credentials, effectively letting you edit any file you open with vi.

T3RM1NVT0R 09-15-2011 06:28 PM

@ Reply
 
Code:

josoap ALL=/bin/kill, /usr/apt-get, /var/vi
There is a little modification that will be required

Code:

josoap ALL=/bin/kill, /usr/bin/apt-get, /usr/bin/vi
And, if you want to run them without password then put it as follows:

Code:

josoap ALL=NOPASSWD: /bin/kill, /usr/bin/apt-get, /usr/bin/vi
I hope this helps.

Juc1 09-15-2011 06:51 PM

OK awesome, thank you :)

Juc1 09-15-2011 06:57 PM

Quote:

Originally Posted by TobiSGD (Post 4472788)

Can you please explain that? Do you mean a remote or local access?

It is a Debian server and I mean the thing that if root has ssh access then a hacker could potentially get into ssh by guessing the password with brute force.

Thanks :)

mreff555 09-15-2011 07:02 PM

Quote:

Originally Posted by Juc1 (Post 4472783)
Hi all,

I know how to edit a file when logged in as root, but I think for security reasons root should not have shell access. So do I need to give my user account permission to edit files, and if so, do I do this in etc/sudoers?

Does this in etc/sudoers give josoap permission to edit files?

josoap ALL=(ALL) ALL

Thanks

If you are talking about Local that sounds like a bad Idea.
As far as remote goes, I believe remote root is disabled by default.

T3RM1NVT0R 09-15-2011 07:12 PM

@ Reply
 
Quote:

It is a Debian server and I mean the thing that if root has ssh access then a hacker could potentially get into ssh by guessing the password with brute force.
Well you can disable root's access via ssh. Edit sshd_config file:

Code:

vi /etc/ssh/sshd_config
And there is a parameter which says "PermitRootLogin" if it is set to yes then change it to no.

If you want to access server via ssh then access it using your username and then su - root.

You should take care of one thing that never login to GUI using root account. If you are connecting to your server using ssh the best practice would be to login using your user account and then su - root.

Juc1 09-16-2011 03:32 PM

Quote:

Originally Posted by T3RM1NVT0R (Post 4472921)
Well you can disable root's access via ssh. Edit sshd_config file:

Code:

vi /etc/ssh/sshd_config

OK thanks. I think pico is much friendlier than vi so I guess I could add...
Code:

josoap ALL=/bin/kill, /usr/bin/apt-get, /usr/bin/vi, /usr/bin/pico

Juc1 09-16-2011 03:45 PM

Quote:

Originally Posted by TobiSGD (Post 4472788)
Can you please explain that? Do you mean a remote or local access?

Can I please clarify this - I use putty on my home laptop to connect to my VPS in another country so I guess that would be remote access. But I can also log in to the VPS via Parallels Plesk Panel which has its own SSH client. So is that still remote access, or I mean is there any real difference between these two types of SSH login?

Thanks :)


All times are GMT -5. The time now is 01:29 PM.