Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-02-2005, 12:36 PM
|
#1
|
Member
Registered: May 2005
Location: Cluj, Romania
Distribution: Fedora Core 6
Posts: 226
Rep:
|
Messed up Fedora by editing /etc/passwd
Oka, let me explain... I hate the word root, i don't like this name, but i hate the message "permission denied", so i have found a solution: create a user named "cosmin" (my name) and set in /etc/passwd the uid and gid to 0 for this user. This works. But i have another problem: when i use my user (cosmin) it is almost the same thing as if i use root. For example if i type "whoami", i get "root". So, i thought to edit /etc/passwd and put the user "cosmin" on the first line, and this really solved my problem. I have logged in with cosmin and everithing was ok. But when i try to log in, i get about 10 error messages like: "An error occured while loading or saving information for ............ Some of your configuration settings may not work properly.", where .... is: gnome-session, Print Notifier, gnome-settings-daemon, Nautilus and more. And one more different kind of error: "Error activating XKB configuration. Probably internal X server problem. ...." This message is long enough and i cannot copy and paste it here. If you find it necessary, i will write it in the next post. I hope you can help me. And please, please, please don't tell me to edit /etc/passwd to whe way it was before, unless it is the only solution to solve my problem... Thank you.
|
|
|
06-02-2005, 01:07 PM
|
#2
|
LQ Guru
Registered: Jan 2001
Posts: 24,149
|
Ok so, this is a fine example of security thru obscurity.. and why you did it, not sure, maybe your own little fetish that you should not worry about when dealing with *nix at all times.
What you need to do is create a user and setup sudo to get access to whatever you need that usually only root has access to. This will protect you and your system.
Creating a user with an ID of 0 and not removing your actual root user with an ID of 0, I'm afraid you just totally fscked up your system or just removing root and making your user with an id of 0 is a really bad idea. Slap yourself on the wrist, bad rookie mistake.
Perhaps before you start editing files, especially account configuration files, you should read more about how the *nix and Linux operating system functions.
Am I being too harsh, sure, you deserve it and you'll learn from it now. I've been yelled at for making stupid mistakes at work. Afterwords, I never make those mistakes ever again as well.
And yes, what I'm going to tell you is that you need to edit your /etc/passwd file back the way it was. Then your going to either just use su - root to become root when necessary to do whatever it is your regular user doesn't have access to or your going to setup and use sudo, the more appropiate and secure way to give yourself access without having to become the root user.
Last edited by trickykid; 06-02-2005 at 01:09 PM.
|
|
|
06-02-2005, 02:33 PM
|
#3
|
Senior Member
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Rep:
|
I just have to reply to this.....
Probably the biggest security problem that exists in Windows is the fact that most everyone has administrative privileges on there machines at all times. Think about this... sure it is an extra step to have to sudo or su to do an administrative task... however, it saves you a boat load of potential trouble.
Take an exploit in your IM client for example. Say it allows people, in some certain circumstances, to run any old arbitrary code on your system. If your logged in as user xyz with no admin permissions there is a defined limit to the danger this exploit causes your system. Sure, they can muck with your home directory... maybe even delete it. What they can't do is change passwords, and delete/modify system files or logs. Now if you run this same IM client as root all bets are off, they can do absolutely anything with there code.
Same deal goes for Windows. Spyware isn't nearly as effective if the user that downloads it doesn't have permissions to install software.
If you think about it, most people spend relatively little time doing things that require root access. I personally would rather have to enter in a password when those times arise and know I have an added layer of protection in my day to day activities then to seriously break one of the fundamental security models of my system just to get ride of the occasional "annoyance".
|
|
|
06-02-2005, 02:41 PM
|
#4
|
Member
Registered: May 2005
Location: Cluj, Romania
Distribution: Fedora Core 6
Posts: 226
Original Poster
Rep:
|
Quote:
Originally posted by trickykid
Ok so, this is a fine example of security thru obscurity.. and why you did it, not sure, maybe your own little fetish that you should not worry about when dealing with *nix at all times.
|
Oka... i know i'm a newbie but i'm not stupid, i think you should know that. I'm not offended in any way, because i'm sure you know 1 mil. times more than me. First of all, i don't think i did anything that could affect my computer's security (i did?).
Quote:
What you need to do is create a user and setup sudo to get access to whatever you need that usually only root has access to. This will protect you and your system.
Creating a user with an ID of 0 and not removing your actual root user with an ID of 0, I'm afraid you just totally fscked up your system or just removing root and making your user with an id of 0 is a really bad idea. Slap yourself on the wrist, bad rookie mistake.
|
Why? I told you i had my user with 0:0 and it was ok, but it was the same thing as if i was logged in with root. I thought of removing root from /etc/passwd, but i didn't, because i didn't knew the consequences (can you tell me?). And don't tell me it's impossible to create a user with root privileges. Everything is possible when we are talking about computers generally, and linux specially.
Quote:
And yes, what I'm going to tell you is that you need to edit your /etc/passwd file back the way it was. Then your going to either just use su - root to become root when necessary to do whatever it is your regular user doesn't have access to or your going to setup and use sudo, the more appropiate and secure way to give yourself access without having to become the root user.
|
Now, i know sudo, but... i really don't understand what's the connection of my problem with security. What's the difference in fact of having one or 2 root users? One have 1 more chance to guess root password? I think you're not reffering to this... Can you tell me what you mean?
And... thank you. I think you are talking to me about very simple things and someway you're wasting your time...
Last edited by zahadumy; 06-02-2005 at 02:43 PM.
|
|
|
06-02-2005, 02:48 PM
|
#5
|
Senior Member
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Rep:
|
Running as root all the time is just a horrible overall security policy... for the reasons I talked about in my first post (and many others).
The problem you would have with removing the "root" user is that a lot of stuff on your system is probably set to run as root instead of set to run with UID 0. The distinction is important. Your init scripts, for instance, could be severely hosed up if you don't have a root user.
As far as having two users with the same UID... that is fine, but since everyone expects root to be UID 0 I wouldn' be surprised if you run into all sorts of weird problems if the root account isn't explicitly known as root.
Last edited by jtshaw; 06-02-2005 at 02:50 PM.
|
|
|
06-02-2005, 02:52 PM
|
#6
|
Member
Registered: May 2005
Location: Cluj, Romania
Distribution: Fedora Core 6
Posts: 226
Original Poster
Rep:
|
jtshaw, i'm sure you're right, but... i'm a newbie, although i have 40+ posts i think... It doesn't matter... I understand what you're saying, but, i don't know, probably i should consider this, thinking that i use linux partly because i have no antivirus and my computer really works better... Since now i was never thinking about security in linux. Is this a mistake?
But anyway, i'm obsessed or something... is is possible? I have to know that, even if i will never use it (i will think about this). Thank you.
|
|
|
06-02-2005, 03:04 PM
|
#7
|
Member
Registered: May 2005
Location: Cluj, Romania
Distribution: Fedora Core 6
Posts: 226
Original Poster
Rep:
|
Quote:
Originally posted by jtshaw
Running as root all the time is just a horrible overall security policy... for the reasons I talked about in my first post (and many others).
|
You convinced me. I will set my user to UID and GID different than 0, you have my word on that. But tell me, please, you must know and if you want to tell me is ok, if not, i will find out at some time in the future... And now comes the question: is there any way to have 2 different users with root privileges? Thank you.
|
|
|
06-02-2005, 03:06 PM
|
#8
|
Senior Member
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Rep:
|
Is it possible to have a user other then root be an admin? Yes... but the system isn't really setup to deal with two users having the same UID so whoever is listed first in /etc/passwd is what utilities like whoami are going to see.
The biggest reason for this is almost everywhere in the system it just refers to users by there UID number, not by name, because numbers are easier to deal with. They assume each UID only corresponds to 1 user, so when you do a cross reference to the name it will just find the first name that matches and go with it.
Is it possible to not have a "root" account at all (Ie name root something else)? Maybe, but it would probably require a ton of changes to your init scripts for various things, and potentially other changes to your system. I think the kernel would probably be fine since everywhere I've looked it assumes UID=0 is the admin and doesn't actually reference users by there names... but other software could potentially not work as advertised anymore.
Linux is in general, a pretty secure system. However, it is secure in part because the default system layouts are fairly specific about making sure no single user has too much power. The only exception to this, the root user, should really be used with care. You'll notice that good distributions don't run server services as root (apache for example is usually run as the user "nobody"). SSH is the only exception I can think of... though I have to say one of the first things I do on all my machines is disable root login directly through SSH.
To me, a big part of security is, and has always been, minimizing the effect of a vulnerability could have on you.
Last edited by jtshaw; 06-02-2005 at 03:10 PM.
|
|
|
06-02-2005, 03:10 PM
|
#9
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
I'm going to suggest what you didn't want suggested. Going back to a normal user UID in your /etc/passwd file. You will need to use the find command in your home directory to locate files with a uid of 0 and use the chown command to change them to your normal UID.
There may be some files in hidden directories that have different ownership/permissions than normal, so I'm not suggesting changing all files at once with "chown <username> * -R" for that reason.
There is a /etc/sudoers file that you can edit with the "sudoers" command. If you read through the file, there are a couple commented out examples on how to allow a certain user, or group member to execute certain commands (mount/unmount are the examples used) and not have to enter in the root password to run it. This is handy for mounting or ejecting cdrom discs.
|
|
|
06-02-2005, 03:12 PM
|
#10
|
Member
Registered: May 2005
Location: Cluj, Romania
Distribution: Fedora Core 6
Posts: 226
Original Poster
Rep:
|
Quote:
Originally posted by jtshaw
Is it possible to have a user other then root be an admin? Yes... but the system isn't really setup to deal with two users having the same UID so whoever is listed first in /etc/passwd is what utilities like whoami are going to see.
Linux is in general, a pretty secure system. However, it is secure in part because the default system layouts are fairly specific about making sure no single user has too much power. The only exception to this, the root user, should really be used with care. You'll notice that good distributions don't run server services as root (apache for example is usually run as the user "nobody"). SSH is the only exception I can think of... though I have to say one of the first things I do on all my machines is disable root login directly through SSH.
|
I have a SSH server running and i remember i read here on LQ in a post "default settings on Fedora can get you hacked". And of course, it was reffering at root login directly through ssh, which should be disabled... But anyway, i use 25 letter and numbers passwords, what's the chance anyone could guess one?
|
|
|
06-02-2005, 03:29 PM
|
#11
|
Member
Registered: May 2005
Location: Cluj, Romania
Distribution: Fedora Core 6
Posts: 226
Original Poster
Rep:
|
Quote:
Originally posted by jschiwal
I'm going to suggest what you didn't want suggested. Going back to a normal user UID in your /etc/passwd file. You will need to use the find command in your home directory to locate files with a uid of 0 and use the chown command to change them to your normal UID.
There may be some files in hidden directories that have different ownership/permissions than normal, so I'm not suggesting changing all files at once with "chown <username> * -R" for that reason.
|
Oka, i have set up my user to UID and GID 500:500. My problem now is: when i try to log in, i get this message: "Could not look up internet address for localhost.localdomain. This will prevent GNOME from operating correctly. It may be possible to correct the problem by adding localhost.localdomain to the file /etc/hosts." But my /etc/hosts looks like this:
Code:
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
There is there "Log in anyway", but it doesn't work. I had to login as root. Any suggestions? Thank you.
Last edited by zahadumy; 06-02-2005 at 03:32 PM.
|
|
|
06-02-2005, 03:36 PM
|
#12
|
Member
Registered: Jan 2005
Location: Chicago
Distribution: Fedora Core 4, Suse 9.3
Posts: 186
Rep:
|
trickykid or jtshaw or jschiwal (Fast Question for You)
I have Fedora Forum as an RSS feed, which I use to learn from others. This has served me well so far. I only use the root account to make system-wide changes and I've had very few problems as Fedora 3 is great out of the box.
All that said, I have a question which I have not seen the answer to:
What is the difference between typing: su then root password
and: su - then root password ?????
How do I know which to use?
and lastly, I've only seen sudo in Ubuntu, but is that the same as su or su-??
Thanks and I apologize for such a basic ?
Mark
Last edited by mkoljack; 06-02-2005 at 07:46 PM.
|
|
|
06-02-2005, 04:40 PM
|
#13
|
Member
Registered: May 2005
Location: Cluj, Romania
Distribution: Fedora Core 6
Posts: 226
Original Poster
Rep:
|
I changed my user, i had chown and all seems to be ok, except everytime when i log in i get this message: "Could not look up internet address for localhost.localdomain. This will prevent GNOME from operating correctly. It may be possible to correct the problem by adding localhost.localdomain to the file /etc/hosts.". I choose "log in anyway" and all is fine. But i don't understand why i can log in with my user or root, but i can't with any other user. When i try to log in with any user except my user and root, i get those error messages described in my first post in this thread. Can you help me? Thank you.
|
|
|
All times are GMT -5. The time now is 07:58 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|