Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I know how to edit a file when logged in as root, but I think for security reasons root should not have shell access. So do I need to give my user account permission to edit files, and if so, do I do this in etc/sudoers?
Does this in etc/sudoers give josoap permission to edit files?
Normally you use the command visudo to edit that file, it will lock the file and check for errors after installing.
The line you gave will will allow the user to do everything in your system, not just edit files.
Quote:
I think for security reasons root should not have shell access.
Can you please explain that? Do you mean a remote or local access?
Yes, the above will give user josoap full access on the system. Infact he will have same access as that of root. As I can understand you want to disable root's shell access but what difference above will make. I mean instead of root you are giving josoap full access on shell its just the name change from root to josoap.
Better way that I can think of is set a strong password for root user and add trusted people in sudoers with limited access.
Thanks to all for your helpful replies. I forgot to say I am talking about a Debian VPS. I think it is not good for sudoers to give all permissions to the user like this...
josoap ALL=(ALL) ALL
...but I can instead give permissions for just particular commands such as apt-get. So instead of saying 'give all permissions to josoap' can I say in sudoers 'give josoap permissions to use apt-get and to edit files'? If so can anyone please tell me the correct sytnax?
Ok thanks for these links. Can anyone please tell me if this looks ok...
josoap ALL=/bin/kill, /usr/apt-get, /var/vi
...to mean that josoap can run the kill command from the bin directory, the apt-get command from the usr directory and can edit any file in the var directory (or at least any file that is editable by root).
Ok thanks for these links. Can anyone please tell me if this looks ok...
josoap ALL=/bin/kill, /usr/apt-get, /var/vi
...to mean that josoap can run the kill command from the bin directory, the apt-get command from the usr directory and can edit any file in the var directory (or at least any file that is editable by root).
Thank you
Not quite. AFAIK you can't specify a directory where you can edit the files. ( Maybe in the hostname entry, but I wouldn't know the syntax )
Can you please explain that? Do you mean a remote or local access?
It is a Debian server and I mean the thing that if root has ssh access then a hacker could potentially get into ssh by guessing the password with brute force.
I know how to edit a file when logged in as root, but I think for security reasons root should not have shell access. So do I need to give my user account permission to edit files, and if so, do I do this in etc/sudoers?
Does this in etc/sudoers give josoap permission to edit files?
josoap ALL=(ALL) ALL
Thanks
If you are talking about Local that sounds like a bad Idea.
As far as remote goes, I believe remote root is disabled by default.
Last edited by mreff555; 09-15-2011 at 06:10 PM.
Reason: whoops guess I should have read the entire correspondence first.
It is a Debian server and I mean the thing that if root has ssh access then a hacker could potentially get into ssh by guessing the password with brute force.
Well you can disable root's access via ssh. Edit sshd_config file:
Code:
vi /etc/ssh/sshd_config
And there is a parameter which says "PermitRootLogin" if it is set to yes then change it to no.
If you want to access server via ssh then access it using your username and then su - root.
You should take care of one thing that never login to GUI using root account. If you are connecting to your server using ssh the best practice would be to login using your user account and then su - root.
Last edited by T3RM1NVT0R; 09-15-2011 at 06:14 PM.
Can you please explain that? Do you mean a remote or local access?
Can I please clarify this - I use putty on my home laptop to connect to my VPS in another country so I guess that would be remote access. But I can also log in to the VPS via Parallels Plesk Panel which has its own SSH client. So is that still remote access, or I mean is there any real difference between these two types of SSH login?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.