Sudoers
 

Hi all,

I know how to edit a file when logged in as root, but I think for security reasons root should not have shell access. So do I need to give my user account permission to edit files, and if so, do I do this in etc/sudoers?

Does this in etc/sudoers give josoap permission to edit files?

josoap ALL=(ALL) ALL

Thanks

Normally you use the command visudo to edit that file, it will lock the file and check for errors after installing.
The line you gave will will allow the user to do everything in your system, not just edit files.

Can you please explain that? Do you mean a remote or local access?

Yes. ALL =(ALL) ALL gives you the same permissions as root ( when using sudo ).

You can also give those permissions to a group instead, and add any users to that, if you wish. Like this

%admin ALL=(ALL) ALL

@ Reply
 

Hi there,

Yes, the above will give user josoap full access on the system. Infact he will have same access as that of root. As I can understand you want to disable root's shell access but what difference above will make. I mean instead of root you are giving josoap full access on shell its just the name change from root to josoap.

Better way that I can think of is set a strong password for root user and add trusted people in sudoers with limited access.

Thanks to all for your helpful replies. I forgot to say I am talking about a Debian VPS. I think it is not good for sudoers to give all permissions to the user like this...
josoap ALL=(ALL) ALL

...but I can instead give permissions for just particular commands such as apt-get. So instead of saying 'give all permissions to josoap' can I say in sudoers 'give josoap permissions to use apt-get and to edit files'? If so can anyone please tell me the correct sytnax?

Thank you :)

@ Reply
 

Here is the link that will help you out: http://www.cyberciti.biz/tips/allow-...s-as-root.html

Here is another: http://www.sudo.ws/sudo/man/1.8.2/sudoers.man.html

Ok thanks for these links. Can anyone please tell me if this looks ok...

josoap ALL=/bin/kill, /usr/apt-get, /var/vi

...to mean that josoap can run the kill command from the bin directory, the apt-get command from the usr directory and can edit any file in the var directory (or at least any file that is editable by root).

Thank you :)

Not quite. AFAIK you can't specify a directory where you can edit the files. ( Maybe in the hostname entry, but I wouldn't know the syntax )

This line:

josoap ALL=/bin/kill, /usr/bin/apt-get, /usr/bin/vi

will let you run those commands with root credentials, effectively letting you edit any file you open with vi.

@ Reply
 

There is a little modification that will be required

And, if you want to run them without password then put it as follows:

I hope this helps.

OK awesome, thank you :)

It is a Debian server and I mean the thing that if root has ssh access then a hacker could potentially get into ssh by guessing the password with brute force.

Thanks :)

If you are talking about Local that sounds like a bad Idea.
As far as remote goes, I believe remote root is disabled by default.

@ Reply
 

Well you can disable root's access via ssh. Edit sshd_config file:

And there is a parameter which says "PermitRootLogin" if it is set to yes then change it to no.

If you want to access server via ssh then access it using your username and then su - root.

You should take care of one thing that never login to GUI using root account. If you are connecting to your server using ssh the best practice would be to login using your user account and then su - root.

OK thanks. I think pico is much friendlier than vi so I guess I could add...

Can I please clarify this - I use putty on my home laptop to connect to my VPS in another country so I guess that would be remote access. But I can also log in to the VPS via Parallels Plesk Panel which has its own SSH client. So is that still remote access, or I mean is there any real difference between these two types of SSH login?

Thanks :)