LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
LinkBack Search this Thread
Old 09-15-2011, 03:05 PM   #1
Juc1
Member
 
Registered: Sep 2011
Location: UK
Posts: 73

Rep: Reputation: 0
Sudoers


Hi all,

I know how to edit a file when logged in as root, but I think for security reasons root should not have shell access. So do I need to give my user account permission to edit files, and if so, do I do this in etc/sudoers?

Does this in etc/sudoers give josoap permission to edit files?

josoap ALL=(ALL) ALL

Thanks
 
Old 09-15-2011, 03:12 PM   #2
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Gentoo, Slackware
Posts: 14,900
Blog Entries: 2

Rep: Reputation: 3811Reputation: 3811Reputation: 3811Reputation: 3811Reputation: 3811Reputation: 3811Reputation: 3811Reputation: 3811Reputation: 3811Reputation: 3811Reputation: 3811
Normally you use the command visudo to edit that file, it will lock the file and check for errors after installing.
The line you gave will will allow the user to do everything in your system, not just edit files.

Quote:
I think for security reasons root should not have shell access.
Can you please explain that? Do you mean a remote or local access?
 
1 members found this post helpful.
Old 09-15-2011, 03:15 PM   #3
torchnw
LQ Newbie
 
Registered: Jun 2008
Distribution: Ubuntu, Debian, Mint, Fedora, Arch
Posts: 23

Rep: Reputation: 4
Yes. ALL =(ALL) ALL gives you the same permissions as root ( when using sudo ).

You can also give those permissions to a group instead, and add any users to that, if you wish. Like this

%admin ALL=(ALL) ALL
 
1 members found this post helpful.
Old 09-15-2011, 03:24 PM   #4
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, Ubuntu, SLES, CentOS
Posts: 1,689

Rep: Reputation: 305Reputation: 305Reputation: 305Reputation: 305
@ Reply

Hi there,

Quote:
josoap ALL=(ALL) ALL
Yes, the above will give user josoap full access on the system. Infact he will have same access as that of root. As I can understand you want to disable root's shell access but what difference above will make. I mean instead of root you are giving josoap full access on shell its just the name change from root to josoap.

Better way that I can think of is set a strong password for root user and add trusted people in sudoers with limited access.
 
1 members found this post helpful.
Old 09-15-2011, 03:34 PM   #5
Juc1
Member
 
Registered: Sep 2011
Location: UK
Posts: 73

Original Poster
Rep: Reputation: 0
Thanks to all for your helpful replies. I forgot to say I am talking about a Debian VPS. I think it is not good for sudoers to give all permissions to the user like this...
josoap ALL=(ALL) ALL

...but I can instead give permissions for just particular commands such as apt-get. So instead of saying 'give all permissions to josoap' can I say in sudoers 'give josoap permissions to use apt-get and to edit files'? If so can anyone please tell me the correct sytnax?

Thank you
 
Old 09-15-2011, 03:40 PM   #6
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, Ubuntu, SLES, CentOS
Posts: 1,689

Rep: Reputation: 305Reputation: 305Reputation: 305Reputation: 305
@ Reply

Here is the link that will help you out: http://www.cyberciti.biz/tips/allow-...s-as-root.html

Here is another: http://www.sudo.ws/sudo/man/1.8.2/sudoers.man.html

Last edited by T3RM1NVT0R; 09-15-2011 at 03:42 PM.
 
Old 09-15-2011, 04:23 PM   #7
Juc1
Member
 
Registered: Sep 2011
Location: UK
Posts: 73

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by T3RM1NVT0R View Post
Ok thanks for these links. Can anyone please tell me if this looks ok...

josoap ALL=/bin/kill, /usr/apt-get, /var/vi

...to mean that josoap can run the kill command from the bin directory, the apt-get command from the usr directory and can edit any file in the var directory (or at least any file that is editable by root).

Thank you
 
Old 09-15-2011, 05:27 PM   #8
torchnw
LQ Newbie
 
Registered: Jun 2008
Distribution: Ubuntu, Debian, Mint, Fedora, Arch
Posts: 23

Rep: Reputation: 4
Quote:
Originally Posted by Juc1 View Post
Ok thanks for these links. Can anyone please tell me if this looks ok...

josoap ALL=/bin/kill, /usr/apt-get, /var/vi

...to mean that josoap can run the kill command from the bin directory, the apt-get command from the usr directory and can edit any file in the var directory (or at least any file that is editable by root).

Thank you
Not quite. AFAIK you can't specify a directory where you can edit the files. ( Maybe in the hostname entry, but I wouldn't know the syntax )

This line:

josoap ALL=/bin/kill, /usr/bin/apt-get, /usr/bin/vi

will let you run those commands with root credentials, effectively letting you edit any file you open with vi.
 
1 members found this post helpful.
Old 09-15-2011, 05:28 PM   #9
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, Ubuntu, SLES, CentOS
Posts: 1,689

Rep: Reputation: 305Reputation: 305Reputation: 305Reputation: 305
@ Reply

Code:
josoap ALL=/bin/kill, /usr/apt-get, /var/vi
There is a little modification that will be required

Code:
josoap ALL=/bin/kill, /usr/bin/apt-get, /usr/bin/vi
And, if you want to run them without password then put it as follows:

Code:
josoap ALL=NOPASSWD: /bin/kill, /usr/bin/apt-get, /usr/bin/vi
I hope this helps.
 
1 members found this post helpful.
Old 09-15-2011, 05:51 PM   #10
Juc1
Member
 
Registered: Sep 2011
Location: UK
Posts: 73

Original Poster
Rep: Reputation: 0
OK awesome, thank you
 
Old 09-15-2011, 05:57 PM   #11
Juc1
Member
 
Registered: Sep 2011
Location: UK
Posts: 73

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by TobiSGD View Post

Can you please explain that? Do you mean a remote or local access?
It is a Debian server and I mean the thing that if root has ssh access then a hacker could potentially get into ssh by guessing the password with brute force.

Thanks
 
Old 09-15-2011, 06:02 PM   #12
mreff555
Member
 
Registered: Sep 2011
Location: Philly
Distribution: Gentoo
Posts: 435

Rep: Reputation: Disabled
Quote:
Originally Posted by Juc1 View Post
Hi all,

I know how to edit a file when logged in as root, but I think for security reasons root should not have shell access. So do I need to give my user account permission to edit files, and if so, do I do this in etc/sudoers?

Does this in etc/sudoers give josoap permission to edit files?

josoap ALL=(ALL) ALL

Thanks
If you are talking about Local that sounds like a bad Idea.
As far as remote goes, I believe remote root is disabled by default.

Last edited by mreff555; 09-15-2011 at 06:10 PM. Reason: whoops guess I should have read the entire correspondence first.
 
Old 09-15-2011, 06:12 PM   #13
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, Ubuntu, SLES, CentOS
Posts: 1,689

Rep: Reputation: 305Reputation: 305Reputation: 305Reputation: 305
@ Reply

Quote:
It is a Debian server and I mean the thing that if root has ssh access then a hacker could potentially get into ssh by guessing the password with brute force.
Well you can disable root's access via ssh. Edit sshd_config file:

Code:
vi /etc/ssh/sshd_config
And there is a parameter which says "PermitRootLogin" if it is set to yes then change it to no.

If you want to access server via ssh then access it using your username and then su - root.

You should take care of one thing that never login to GUI using root account. If you are connecting to your server using ssh the best practice would be to login using your user account and then su - root.

Last edited by T3RM1NVT0R; 09-15-2011 at 06:14 PM.
 
Old 09-16-2011, 02:32 PM   #14
Juc1
Member
 
Registered: Sep 2011
Location: UK
Posts: 73

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by T3RM1NVT0R View Post
Well you can disable root's access via ssh. Edit sshd_config file:

Code:
vi /etc/ssh/sshd_config
OK thanks. I think pico is much friendlier than vi so I guess I could add...
Code:
josoap ALL=/bin/kill, /usr/bin/apt-get, /usr/bin/vi, /usr/bin/pico
 
Old 09-16-2011, 02:45 PM   #15
Juc1
Member
 
Registered: Sep 2011
Location: UK
Posts: 73

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by TobiSGD View Post
Can you please explain that? Do you mean a remote or local access?
Can I please clarify this - I use putty on my home laptop to connect to my VPS in another country so I guess that would be remote access. But I can also log in to the VPS via Parallels Plesk Panel which has its own SSH client. So is that still remote access, or I mean is there any real difference between these two types of SSH login?

Thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with sudoers DrStrangepork Linux - Newbie 8 10-13-2009 07:53 AM
Re;sudoers palisetty_suman Linux - Newbie 4 01-27-2009 11:25 PM
sudoers madwac Linux - Newbie 1 03-10-2007 06:54 PM
I deleted /etc/sudoers and creates a new file call sudoers but now it doesnt for visu abefroman Linux - Software 1 11-10-2005 05:03 PM
sudoers???? yenonn Slackware 6 02-10-2004 03:09 AM


All times are GMT -5. The time now is 12:48 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration