UbuntuThis forum is for the discussion of Ubuntu Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I think the OP is confused about what he "wants". First he said he couldn't get sudo to work for his user then he could but complained about other users then about not getting graphics as root then he falls back into a general rant about sudo.
My opinion is the OP just wanted to kvetch rather than get any real help from anyone. As noted more than once by myself and others he could ignore sudo completely if he chose a distro that didn't require it like ubuntu.
I think that ForYouAndI.com is being unfairly criticised here, as I understand it, (s)he wanted to give others permission to log into the main (admin) account on occasion but not be able to make any changes that require admin privileges. No harm in that as far as I can see, as one of the assets of Linux is being able to tailor the OS to your particular requirements.
Sorry for replying so late. I've spent days trying out distributions and making sure almost all the features I wanted were there. I ended up with Debian. No more sudo. Debian handles root the way suse does. Wife upset...talk later.
tredegar, I read over your posts again. You think that I would want someone to log into my account and have root privelages...I meant the exact opposite. That is one of the reasons I ditched Windows. Bad user handling.
jlightner, now that I've had some rest, I can see your point. Rather than giving everyone the ability to become root, you can assign roles to users when they use sudo to access certain files. And it's better than just file permissions because they'll have to type in their password before they can mess anything up. Which would effectively stop any virus from doing harm.
Wouldn't it be possible to have the same security without sudo by using selinux?
With sudo you give specific users access to specific commnads (and arguments if desired - e.g. "su - testora" - gives only permission to su to testora user - not to any other user and most importantly NOT to root).
I think of SELinux more as a firewall on steroids but not having really used it can't comment well about what it does. My main view of SELinux is that it has almost no lucid documentation and causes many things not work if left enabled so most folks disable it. I have seen a comment that applications actually have to be SELinux aware which to me is another strike against it. For firewall iptables works just fine. SELinux is likely something I'd explore deeper only if I were making an internet facing web server. I note that FC6 (and presumably Fedora 7) have an SELinux configuration utility available so I might play with that on a future install.
Basically the point in sudo is to give users access to things they would not ordinarily have access to but root would whereas firewalls are to try to set global policies about what traffic is allowed to and from a server though specific interfaces(IPs) and ports.
Security is all about hardening the target and sometimes you do what is "practical". If you're running a home system that you never connect to the internet there's probably not a lot of need to get too fancy with iptables. However if you're running a web server that is important to your business' success you probably want to do a lot of hardening to be sure script kiddies and hackers don't take it down. Its much like accounting - if you're running a mom and pop business you probably aren't going to expend much effort producing a capital budget for the next year but in corporations this is a regular activity.
Most of my comments about use of sudo relate to the way I've used it in corporate environments that have dozens or hundreds of users accessing systems.
Let me make sure I have this straight.
If my sudo gives me root priv...
When I do sudo command
the program runs with the same privalages and in the same way as if I did:
su pass
command
correct?
Of course, with the exception of su keeping root priv in the command line after the command is done executing.
simply says to run the command as the root user. To that extent is somewhat like running:
su -c command
The difference being with sudo the password that is requested is the original user's password and with su you must know the root password.
sudo's benefits on a multiuser system where only the System Admins should have root access are:
1) No one gets the root password other than the System Admins (for su everyone would need to know it).
2) ONLY those commands you've allowed for in sudoers can be executed by those users you've granted access to that command. You can set up multiple groups (e.g. DBAs) within sudoers to give all members of certain teams access to the certain commands and members of other teams (or individuals) access to other commands.
3) sudo has logging of who accessed which command. Since the user doesn't actually become root he can't delete logs as he might if you'd given him su. Also su by itself only logs which user executed su - it doesn't give you any view of what they did after the su.
Note: In the foregoing when I say "su" I mean switch user to root. Users can use su for non-root users if they know the passwords for those accounts.
e.g.
sudo su - testora
is the same as
su - testora
Again the difference being that for the sudo they need only know their own password and for su without sudo they need to know testora's password.
I use the above example mainly because its a feature some people don't realize - that being that while sudo runs as root it can be given commands such as "su - testora -c ls" that would do an ls -l of testora's home directory as the user testora. This means you never really give the user access to a root command at all except long enough to become the other non-root user.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.