Re: Group Membership....
From: David L Norris (dave_at_webaugur.com)
Date: 03/25/04
- Previous message: Leon Phelps: "Re: simple image viewer?"
- In reply to: James Kosin: "Group Membership...."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: James Kosin <JKosin@beta.intcomgrp.com>, For users of Fedora Core releases <fedora-list@redhat.com> Date: Thu, 25 Mar 2004 21:00:45 +0000
On Thu, 2004-03-25 at 18:11, James Kosin wrote:
> I have a silly question;
> Does the root (group) have special privileges like the root (user)?
> If so, what are they?
As far as I know, Fedora Core doesn't give the root group any special
privileges. However, PAM and sudo can be setup to allow certain users
or groups to have special privileges. In most cases you'd add
superusers to the wheel group then give the wheel group special
privileges through sudo or PAM. PAM is much more powerful however it
isn't as easy to setup. Fedora Core's consolehelper (root password
prompt you see when running "System Settings" programs) is based on PAM.
For more info on sudo:
man 5 sudoers
To edit the sudoers file run this as root:
visudo
The following sudoers entry allows members of the wheel group
unrestricted root access with sudo. It challenges them for their own
password instead of the root password:
%wheel ALL=(ALL) ALL
Then members of the wheel group can prefix commands with sudo to run
them as root. To get a root login shell (without needing the root
password) you would do this:
sudo su -
To go one step further: Once I've setup sudo and know it works I remove
remove all terminal devices from /etc/securetty, modify
/etc/ssh/sshd_config (PermitRootLogin no), and modify
/etc/X11/gdm/gdm.conf (AllowRoot=false & AllowRemoteRoot=false) to
disallow root login entirely. This forces people to login as a
non-privileged user and use sudo or su.
If someone tries to run something they are not allowed to run the
administrators are sent an email. All sudo commands are logged to the
system log. Thus when something breaks you can go back and see
precisely what has been done to break it and who did it.
In an emergency, such as accidentally erasing/damaging your passwd or
groups files, you can easily gain root privileges with a rescue CD or by
passing arguments to the kernel (e.g. init=/bin/sh).
-- David Norris http://www.webaugur.com/dave/ ICQ - 412039
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Leon Phelps: "Re: simple image viewer?"
- In reply to: James Kosin: "Group Membership...."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
