Re: ROOT User Question
From: Michael Heiming (michael+USENET_at_www.heiming.de)
Date: 11/21/04
- Next message: Max: "Re: permission denied - can files be locked in linux?"
- Previous message: Michael Heiming: "Re: permission denied - can files be locked in linux?"
- In reply to: Sparky: "Re: ROOT User Question"
- Next in thread: Tom: "Re: ROOT User Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 21 Nov 2004 07:06:09 +0100
In alt.os.linux Sparky <tyates@newsguy.com>:
> On Sat, 20 Nov 2004 12:15:55 +0100, Sybren Stuvel
> <sybrenUSE@YOURthirdtower.com.imagination> wrote:
>>Sparky enlightened us with:
>>> I would like to disable root from ever logging in directly to my
>>> server. I want a user to "su -" and enter root's password from
>>> their own account. How can I accomplish this?
>>
>>You don't. You don't want people to have full root access - read up on
>>'sudo'.
> Did read up on sudo, going to implement that at some point.
You'll have a hard time implementing the longer you wait if users
get used to unlimited rootly powers. Make a list which commands
users need to execute as root and start configuring sudo. Never
give the permission to use 'vi' or another editor as root, most
can span a shell, giving full root permissions.
>>
>>We can't tell you how to disable root from ever logging in directly,
>>if you don't tell us how someone can log in as root currently.
> Right now a person can log into this server via root from XDMCP,
> telnet, ssh (putty) to name a few. What I want is to "su -" once
> already logged in via my own id for example but I'd like a log of who
> became root (from what user did they become root).
Disable XDMCP, run in runlevel 3 (change /etc/inittab
"id:5:initdefault:" --> "id:3:initdefault:"). No need to run X on
a server. You can still run remote X apps redirected to another
display, but there's no need to run the whole flipping thing on a
server.
Disable telnet completely, far to insecure. Anything including
the root password will travel in clear text over the wire.
Add to /etc/ssh/sshd_config "PermitRootLogin no" and
restart/reload sshd.
Configure pam (pam_wheel.so) to only allow members of the wheel
group to su root.
Try a google search for "Linux rute" and get this admin guide as
start.
Good luck
-- Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94) mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/' #bofh excuse 355: Boredom in the Kernel.
- Next message: Max: "Re: permission denied - can files be locked in linux?"
- Previous message: Michael Heiming: "Re: permission denied - can files be locked in linux?"
- In reply to: Sparky: "Re: ROOT User Question"
- Next in thread: Tom: "Re: ROOT User Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
