On Wed, Aug 14, 2013 at 12:14:47PM +0200, François Patte wrote: > Bonjour, > > For some unknown reason I did not activate the root account during the > installation. I activated it from a user account, say John Doe. > > Now John Doe can become root anytime and do anything on my machine. > > How can I deactivate this? I have seen that John Doe is a member of > almost all groups in /etc/group and /etc/gshadow... > > Is there a simple method to remove John Doe from these files and are > there other files to modify? Check /etc/sudoers and /etc/sudoers.d/*. If you have a line like: %sudo ALL=(ALL:ALL) ALL then removing John Doe from the 'sudo' group should be enough (assuming, of course no other line allows him access). Otherwise, you'll have to look at other lines and see if any of them allow John Doe access and remove them. Use "visudo" as root to edit these files - it'll syntax check before saving. > > > I asked a question about this inconvenience of the sudo way to activate > root account: lightdm accepts to login root for a graphical session, I > found a method to forbid this: add this line in /etc/pam.d/ligthdm: > > auth required pam_succeed_if.so user != root quiet > > I don't understand this "fashion": sudo and no root account.... It is > the same under ubuntu. What for? I believe the idea is to discourage people from logging in as root. You can't get rid of root completely (any user with an ID of 0 is root), nor would you want to. But there have been many a horror story of people logging in as a super-user (either Root on Linux or Adminstrator on Windows) for day-to-day work - perhaps to work around some permissions issue or something. 'sudo' is preferred over 'su' because A) it allows for better control of who can do what - if you want a user to be able to run 'foo' as root without being asked for their password, you can do that B) the simple interface (just adding one keyword before a command line) encourages users to run JUST ONE command as root - 'su' makes it all too easy to switch to a root shell and forget to switch back. Now, I don't believe there's been any active discouragement of doing things 'the old way'. It's just that, as linux becomes more popular, it needs to become more 'user friendly' - and that means robustness against user folly.
Description: Digital signature