You can also edit the /etc/sudoers file to get around the shutdown problem, or anything you want to run as root.

In the above "slack" is the hostname of my computer. "pwroff" is a special group I created to that has permission to execute the poweroff & reboot commands as root, without a password. You could just as easily use the group "users" if you wanted. /etc/sudoers is also where the "wheel" group gets it's power, btw, but it's disabled by default.

If you want to add the pwroff group & use it, then you need to run this command, as root:
Then find all the groups that your user currently belongs too:
Then add yourself to the pwroff group, while relisting the ones from above:
And make sure it worked:
Edit: Forgot, you also need to change the permissions on /usr/bin/poweroff & /usr/bin/reboot, assuming you're using the "pwroff" group. Mine looks like this:
You can change the group on the 2 files with:

Thanks guys.

hi, synaptical.
Do you still have this theme? Where can I download it?

http://synaptical.dyndns.org/screens/flux_0620.png

1. I can't create a directory in /home when I use the new user account. How to deal with that? And how to make the new user account have permission to write file to all of directory in the system?

2. I have some shotcut in the taskbar (gnome web browser based on mozilla), I don't use that browser, so I want to move it from taskbar. However, the new user account seems not has this permission to do so because the command remove is not available(appears as grey color) when I right click the browser icon. What should I do?

Please help. Thanks a lot.

well if I remember correctly I added a 2nd superuser by looking in the /etc/passwd
file. The closer a user gets to 0:0 the closer to becoming a superuser he/she is. I believe. At any rate KDE treated my user as root when I changed that part of the line to 0:0 as opposed to the rather large numbers...

1. you'd have to make the directories in /home as root and then chown/chmod them, or use the adduser script to create the /home directories and files automagically.

giving normal users permissions to write to the entire system is a bad idea. if you absolutely have to have that sort of functionality, use sudo. (have you even been reading the responses in your own thread? )

Am not absoltely sure, but just gonna lost some words despite of ..

I got the idea to lock the root account just like those DAEMOND accounts, processes can still run under those Daemond's account but they can not login as those users on tty/consoles. The default is locked whenever an account is created, therefore we gotta activate it through the "passwd" command. To give password to an account is also to activate its capability to login to ttys ..

After disable the root account (not yet tested), one surely will need an replace with superuser/root priviledge. Superuser priviledge mean to have the UID=0 and GID=0. So creating an user this way at least can fool intruders a little bit in case they try to crack root password, they can not loggin.

But root access can still be gained (am not such RATE or THIEF) and still can be destructive .., so that only fool a little bit. But it got real reason why some big systems need other priviledge user account, some it suffices to give them only membership to gid=0.

what you're describing sounds to me like "security through obscurity," which from what i understand is weak security. imho, it's better to learn how to secure your box through traditional means -- turning off services you don't need, making good passwords, etc. *nix has been around for a long time, and people have learned the best procedures to "harden" a system. so i would say start first with those "tried and true" methods, and then only get "fancy" later when you know more about what you're doing. (e.g., disabling root sounds inherently risky from a usability standpoint! ) i think the security sticky at LQ would be a good place to start.

Yeah unix has been true long around .., i have /etc/rc.d/inetd even "chmod 644"-ed, surely previously disabled some services of it b4 finally, /etc/hosts* all already secured, my password is surely included some keys to type with shift.

It is actually not difficult to test its usability, if the system is booting up there root is not loged in, it functioned without the root has to login to the system. I've compiled the latest bind n created the /chroot/named to jail it on there n have it run as user "named" homedir is /chroot/named n it has not even all access its own homedir /chroot/named, only to certain directory under there /chroot/named/{var,etc/sec}, the rest subdirectories owned by root. Files that named will read like /chroot/named/etc/{named.conf,rndc.key,rndc.conf} are owned also by root, but group owner is named, making it still have read access if by rwxr-----.

If I do "cat /proc/`pidof named`/environ", it has PATH="", N it run WONDERFULL, rndc can also be used to control the running named ..

So I consider root password locking is not too advandturish only not having the time n necessity, not yet. But to say n to have practiced is totally different thing my friend ..

My first account of unix is from november 1991

But thanx for the link to LQ security, I missed it, but i didn't have a bookmark to it, so I was seldom there. But now it is a good time for having a bookmark of ..

well it sounds like you know what you are doing, so go at it. my first *nix account is with home linux june 2003, so you can tell i am not as advanced as the stuff you are talking about. actually, i didn't look at the poster name and thought i was responding to the original poster, so i was basing my comments more on that. but glad that the LQ security thread is useful to you, at least.

There's a good Slack-specific hardening tutorial in the LQ security resource list if anyone's interested (well it seems good to me as a security newb).

sorry, guys.
I am still struggling with the new user account.
1. Please have to look at this screenshot first.
http://homepages.ihug.co.nz/~icoigo/010.png
The menu command inside the red circle on top can't be clicked, and how can I remove that shotcut?

2. I just downloaded the new software, and I can't use installpkg command. Do I have to install all of software by using root? Can I do that with the new user account?

Heaps of thanks.

1. you could log in as root and try to remove it, and then log back in as the user.
2. afaik, usually you have to run installpkg as root

For question one, when I log in as root, the shotcut appears as different. That is there is not any those short cut in the taskbar though.

To make it so a plain jane user can mount floppies, etc you need to login as root and modify /etc/fstab. After you have it open in emacs, vim, whatever go to the entry for, say, your cdrom and change where the entry says "defaults" (or it might say root and some other things) and add "users" to the list (and remove "root" if its there). Save it, and you're done. This [b]should[b] work, but since I typed this from memory, i could be wrong.