[SOLVED] Can I get a over view of Ubuntu's sudo command and root user password?
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Disallow password login over ssh. Also disallow root ssh access completely, if that wasn't mentioned already.
I normally use "PermitRootLogin prohibit-password" so that other PC's in my local net can use ssh root (with key access) to access backup storage on my main machine.
That one has a E-sata docking station for backup disks and a SCSI interface to a tape changer drive. So when everything is made ready the previous evening I can go to sleep and the next morning the backups are ready (cron scripts do the work).
Distribution: RPM Distros,Mostly Mandrake Forks;Drake Tools/Utilities all the way!GO MAGEIA!!!
Posts: 986
Original Poster
Rep:
Thank you for the great replies!
Why was sudo created? What problem did it solve? Does it only make more than one root on a system and that is it plus it keeps the real roots password protected?
Does it only make more than one root on a system and that is it plus it keeps the real roots password protected?
No. Please re-read post #6 above. If you need a long-form explanation get Michael W Lucas' book, sudo Mastery, 2nd edition or his online presentation, "sudo: You're Doing It Wrong".
It solves one problem common in offices: what happens when the sysadmin goes on leave?
She has a team of course, one or two people who know enough to manage the machine without her for a couple of weeks and deal with users' problems on a day-to-day basis. But she doesn't trust them to do really fundamental things like full system updates and in any case she can't give them her password, because once a second person knows a password, in principle everyone knows it!
So she gives them sudo rights to a range of commands that will allow them to keep the system ticking over smoothly while she's away but not allow them to do anything catastrophic. Because that's the thing about sudo: not only does it give root access without the root password but it can be used to give access to specific commands and not others.
I think it was Knoppix that first used sudo as a general go-to-root command that could be used for any purpose. Then Ubuntu popularised the idea for installed systems.
A brief history of 'sudo' at the link below. As you can see it pre-dates Ubuntu and Linux. Ubuntu documentation on the use of sudo on Ubuntu with the pros and cons is at the 2nd link below.
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,800
Rep:
Quote:
Originally Posted by theKbStockpiler
The actual reason I posted this question is because I don't use a long password for my personal login
Long passwords don't have to be a pain in the neck. See xkcd's "Password Strength" toon for one method of making memorable long passwords. Much better than the mainframe/supermini passwords we were assigned years ago that looked like modem line noise which guaranteed they'd be written down somewhere near each user's desk. (And security policy mandated that we get new ones every three months---right about the time you finally memorized the previous password.)
Quote:
... and Ubuntu will do anything if you put a sudo in front of the command.
I'm not an Ubuntu user but I have yet to encounter a system that disallowed "sudu /bin/bash" which lets you be root for as long as you wanted to. On openSUSE I'm at least required to enter root's password to do this (unless the issuer is in the 'wheel' group). I can only guess that, on a distribution using a password-less root account, that command lets you right in.
As for the SSH issue, check the contents of "/etc/securetty"... if that's used on Ubuntu. It's supposed to contain a list of places where 'root' is allowed to login directly. Usually this file lists all the virtual consoles ('tty1' through 'tty6'). On some systems, it would also contain 'console'.)
I have yet to encounter a system that disallowed "sudu /bin/bash" which lets you be root for as long as you wanted to.
On my older machines sudo isn't even installed and anyway, it isn't configured by default in Slackware (which then a real root has to do).
On my working machine I do have it configured to do those "one command things" it isn't worthwhile becoming root for.
PS: the command sudo -i is much shorter and simpler then the one you mentioned, explicitly naming the shell (or others like sudo su). From the man page
Quote:
-i, --login
Run the shell specified by the target user's password database entry as a login shell. This means that login-specific resource files such as .profile, .bash_profile or .login will be read by the shell. If a command is specified, it is passed to the shell for execution via the shell's -c option. If no command is specified, an interactive shell is executed. sudo attempts to change to that user's home directory before running the shell. The command is run with an environment similar to the one a user would receive at log in.
BTW: you can disable this by denying that user access to the shell. Of course this is a bit difficult for the root user, so that's one of the reasons why using sudo for all commands (and destinarion user ID's) is not that good an idea.
Long passwords don't have to be a pain in the neck. See xkcd's "Password Strength" toon for one method of making memorable long passwords. Much better than the mainframe/supermini passwords we were assigned years ago that looked like modem line noise which guaranteed they'd be written down somewhere near each user's desk. (And security policy mandated that we get new ones every three months---right about the time you finally memorized the previous password.)
There's a well-known principle here that probably has a name, but I don't know what it is: any attempt to make things more secure will probably end up making them less secure. Someone I once worked with had worked for GCHQ during the war. There was one room in their building which was supposed to be kept locked and which could only be opened with a key that was kept in a locked wall box. You checked out the key for that at the main desk. Of course what happened was that no one ever locked that door because it was such a pain to open it.
Long passwords don't have to be a pain in the neck. See xkcd's "Password Strength" toon for one method of making memorable long passwords. Much better than the mainframe/supermini passwords we were assigned years ago that looked like modem line noise which guaranteed they'd be written down somewhere near each user's desk. (And security policy mandated that we get new ones every three months---right about the time you finally memorized the previous password.).
It is also arguable that a home user should (if not using a password manager) generate complicated passwords then write them down on a piece of paper and stick it in their desk drawer. When was the last time someone broke into your house, and then inspected and stole some paper? I think it at least as important that one never re-use a password; although I am drifting off topic here.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.