Hello,

I am using in fc4. I know this might be a simple problem for most of you, but how can I set no password prompt when I try to use 'su', like in Mandriva. It's quite annoying to type it every time.

more, if root has no password can I still login root under command line?

thnx

you absolutely do not want to leave root passwordless!

This would be extremely irresponsible. (Almost as bad as logging in as root all the time...) The password is there for your protection and for the protection of everyone you share a network with (i.e. the internet).

You should not be using root "all the time" in any case.
You should add yourself to sudoers and use sudo for those rare times you need to do some ad-hoc admin. Leave the root account for when you want a system overhaul.

What on earth do you use root for that it gets annoying?

I do not think diego is asking to have root with no password but "su" with no password.
That is possible, but as Simon indicates you must (a) add yourself to the wheel group (b) modify sudoers (/etc/sudoers) like this:
<code>
youruserid ALL=NOPASSWD:/sbin/shutdown,/etc/sbin/halt,/etc/rc.d/httpd
</code>
Naturally, you will add (after the NOPASSWD the programs you want to have access to.

Hope this helps.

Rick

That's all well and good, but won't that only give him no-password access to the sudo command, not the su command?

Passwordless sudo is great for the odd command that you want to run as root, but passwordless su would just be dumb.
Is it really that hard to type in a password every once in a while?
With a passwordless su (if that's even possible) any script kiddie could compromise your system simply by attempting the su command.

I understood - su with no password is the same as root with no password. Sudo without password is marginally better, but not by much.

This is insecure!

It should be noted that if you sudo lots, like within 5mins of each other, you can generally do this without re-entering the user password. If it is requent use that is annoying, then sudo may be right for you ... you can even set the sudo time limit longer - and explicit-kill sudo when you're done.

Usually users want this sort of thing due to some sort of misunderstanding. There is normally something they keep wanting to do, and they don't realise there is a way of doing it without su - root or sudo.

Making superuser access easier is the cure that killed the patient.

... this is correct. The su command is not the only way to shell to superuser. Some distros disable the root user alltogether and only use sudo (set up by the installer for the first user) for admin tasks. Ubuntu for eg. (And some distros only have a root user - like Linspire and Windows.)

Thus no password (or only a user password and none for the following five mins - reccommended) will be required doing anything in terminal which requires superuser access. Including sudo -s -H to open a root terminal.

The administration scripts activated by the gui will still need the root password. (Unless the launcher command is edited to prepend "sudo" of course.)

With all due respect I think we are getting stuck in semantics here.
The sudoes exist so that server administrators can "delegate" power to other users that have a valid reason to run certain applications.
Used wisely is an excellent tool and I respectfully disagree with the statement: Sudo is a granular level of root control, supported by (as far as I know) all versions of Unix (including AIX) and if used wisely there is no reason to feel that the system is at greater threat that it otherwise would be by any user in the network with insecure passwords.

Having said that I do not consider wise to use ALL:ALL with sudo, to me it eliminates the "granular control" of the tool all together.

I'll agree with this - the trick is the definition of "wisely".

One of the "wise" security policies is to set "wise" passwords - particularily for administrative priviledges. Under what circumstances would you consider an empty string, a "wise" password, for anybody?

That is precisely the point Simon, he is NOT running the command with an empty string when using sudo. He has to be logged in as himself with a valid password. You can make the argument that if he uses an weak password NOW we have a problem ... but then again if he is using a weak password the system is already compromised by it.
In my experience a sysadmin will not give access to the sudoes list to members of the network, but to the few he trusts.

Again, I think we both agree in the principle here, you are just more strict

... exactly and understood already... leaving aside the potential to leave his account open when he leaves the machine, the possibility of having remote access enabled, or the potential for malware to promote it's access by this means (all these things have happened) - I'm not referring to that. Nor even that the sudo designers intended that the user verify that it is really them by re-entering their password.

Instead, compare with the same thing on the root account itself... if "su" has no password then any user can su to root just by pressing enter. Perform admin tasks etc.

Now look at what I actually said:... this was the bit quoted by you.

1. Sudo is the same as su (with no password).
The functional difference between sudo and su (in the context of this thread) is that the passwords are different, and sudo has a time limit before the user will be challenged again. (su is not challenged for as long as the terminal is open, but is always challenged when invoked.) If we sudo and su were to have the same password, the only difference would be the sudo timeout. But if sudo and su each have no password, the timout becomes a hit enter... thus passwordless sudo and passwordless su are the same (in function).

2. Sudo without password is marginally better (than enabling root without a password).

This is because of the fact that one must be logged in as a valid sudoer in order to invoke sudo at all. This is still insecure. Very much insecure compared with a password protected sudo.

On a scale in which running passwordless root is way down neer the "insecure" end and running with all passwords enabled is neer the "secure" end ... I would stick a rootless sudo closer to the "insecure" end than to the "secure" end. Perhaps you disagree? This was behind the comment. And the "marginal" part.

3. This is insecure.
For a given value of "secure" of course. It is not as insecure as posting your root password on the internet. But it is less secure than keeping the password enabled.


Now I agree that sudo (properly managed) is more secure than su. Disabling su and using sudo only is even more secure.

I used to think that having a different password for admin (over user) was better security. Technically, it should be. However, this ignores the reality of linux use. In practise, users tend to choose poor passwords anyway and leave the root terminals open as long as they are logged in (sometimes for weeks). By comparison, sudo is more rigorous.

Like I said in the previous post ... I think we agree in the basic principle. I also think that when it comes to "is this 1 notch up in the security level and the other 1/2 down" type of thing, it all becomes a matter of opinion, and technical discussions get trapped in semantics and definitions.

I prefer to have (a) secure alphanumeric passwords with no less than 8 characters (can be more), (b) Do not add anyone to the sudoers and (c) rotate passwords every so often. But that's me... I even run my home network on paranoid mode (my wife uses Windows and I have a 13 years old ... you get the idea).

OK. Gotta get back to work, but was nice chatting with you.

Rick

That's pretty much my thing too... awhile back I tried seeing just how paranoid I could be and still have a functional system. The answer is - extremely paranoid (I managed to get a workable SELinux system in paranoid mode) - but it is also possible to lock things too tight.

These days I'm more interested in practical security.

For eg. The number one vulnerability is poor passwords.
I do not internet bank in NZ because the banks have odd restrictions on passwords (must be 8 numbers for some, only upper case alpha-neumerics for others... still restricted to 8, I think they've all been sold the same software ... I have seen Win2000 server crash notices on ATM's here)

I have a small home network myself but I also administer larger networks for medium sized businesses and high schools.

My opening remarks were intended to be a tad hysterical-sounding - I want to make sure this guy realises he's doing something that is widely regarded as "unwise". My main concern here is that this sort of request tends to be symptomatic of a general security ignorance. And it always helps make your point if you jump up and down and wave your arms about

I've been at a convention and broken into people's laptops for a demonstration ... amazine how often people are surprised that I could guess their password as being their username, or the root user password is "root" or "admin" or "access". An empty password is actually about fifth down the list of ones I guess. So you can see why the alarm?

Malware can promote itself when there is a societal tendancy to relax security in a particular way. We've already seen that users can be almost relied on to run suspect shell scripts without checking what they do (there was a thread here from someone who downloaded a script climing to make linux run better, but it actually moved the entire filesystem to the bitbucket - as well as redirecting stdout to the same place. The script was small and obvious, but he didn't even open it and see, or ask how such a small file could improve performance for anybody.)

If it could be relied on that a user running the script also has unwise password (you can run sudo from a script)... well, we may as well be running windows.

As I said before - I think the request may be the result of a repeated task, or set of tasks, that could be better done by another means.

I only touch root access for installing software from source (latest - the nvidia drivers) - or using apt/yum. And I can probably run those last two as a cron job. So for the root password to be an annoyance, root access is probably being obtained far too often.

... which leave diego to make his choice.
<waves> Hi Diego? How's it goin'?

Wow, the speed of you guys replying is far faster than I expected, and thanks for all the attention.

I guess it's a good idea for a admin to have a strong sense of system security. However, I am just a poor linux newbi who's forced to use linux for daily works because my Windows crashes all the time.

I said it was annoying to type su password because I install softwares a lot, and I have no need to worry about security since the worse case is just reinstall (well trained in the world of windows already:-D)

So guess I will just stick to 'sudo' since the solution is already there for me to use.

Diego