[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sudo questions

On Wed, Aug 14, 2013 at 12:14:47PM +0200, François Patte wrote:
> Bonjour,
> For some unknown reason I did not activate the root account during the
> installation. I activated it from a user account, say John Doe.
> Now John Doe can become root anytime and do anything on my machine.
> How can I deactivate this? I have seen that John Doe is a member of
> almost all groups in /etc/group and /etc/gshadow...
> Is there a simple method to remove John Doe from these files and are
> there other files to modify?

Check /etc/sudoers and /etc/sudoers.d/*. If you have a line like:
	%sudo   ALL=(ALL:ALL) ALL
then removing John Doe from the 'sudo' group should be enough (assuming,
of course no other line allows him access).

Otherwise, you'll have to look at other lines and see if any of them
allow John Doe access and remove them. 

Use "visudo" as root to edit these files - it'll syntax check before

> I asked a question about this  inconvenience of the sudo way to activate
> root account: lightdm accepts to login root for a graphical session, I
> found a method to forbid this: add this line in /etc/pam.d/ligthdm:
> auth required pam_succeed_if.so user != root quiet
> I don't understand this "fashion": sudo and no root account.... It is
> the same under ubuntu. What for?

I believe the idea is to discourage people from logging in as root. You
can't get rid of root completely (any user with an ID of 0 is root), nor
would you want to. But there have been many a horror story of people
logging in as a super-user (either Root on Linux or Adminstrator on
Windows) for day-to-day work - perhaps to work around some permissions
issue or something.

'sudo' is preferred over 'su' because A) it allows for better control of
who can do what - if you want a user to be able to run 'foo' as root
without being asked for their password, you can do that B) the simple
interface (just adding one keyword before a command line) encourages
users to run JUST ONE command as root - 'su' makes it all too easy to
switch to a root shell and forget to switch back.

Now, I don't believe there's been any active discouragement of doing
things 'the old way'. It's just that, as linux becomes more popular, it
needs to become more 'user friendly' - and that means robustness against
user folly.

Attachment: signature.asc
Description: Digital signature

Reply to: