Page 1 of 2
Disable root after sudo enable?
Posted: 23. Mar 2012, 14:18
by globetrotterdk
Is disabling the root account recommended after having implemented sudo?
I have added my user name to /etc/sudoers:
I have also added paths to my ~/.bashrc file:
Code: Select all
PATH=/sbin:/usr/sbin:/usr/local/sbin:$PATH
Would the next step be:
Code: Select all
sudo getent shadow root|cut -d : -f 2
???
Re: Disable root after sudo enable?
Posted: 23. Mar 2012, 15:12
by Shador
globetrotterdk wrote:Is disabling the root account recommended after having implemented sudo?
No, not unless you use a weak password for it. It's just an additional "incentive" not to become root anymore. Although that can still be circumvented with:
globetrotterdk wrote:Code: Select all
sudo getent shadow root|cut -d : -f 2
Context? This line just extracts the hashed password from the password database.
Re: Disable root after sudo enable?
Posted: 23. Mar 2012, 17:12
by globetrotterdk
Shador wrote:globetrotterdk wrote:Is disabling the root account recommended after having implemented sudo?
No, not unless you use a weak password for it. It's just an additional "incentive" not to become root anymore. Although that can still be circumvented with:
Thanks Shador
Shador wrote:globetrotterdk wrote:Code: Select all
sudo getent shadow root|cut -d : -f 2
Context? This line just extracts the hashed password from the password database.
Yes. I saw that posted on an Ubuntu forum as an alternative to deleting the root account. Mileage of course may vary.
Re: Disable root after sudo enable?
Posted: 23. Mar 2012, 20:31
by gapan
First of all, there is no way anyone can disable the root account. You may choose not to use it, but you can't disable it. You may think that *buntu has it disabled but you're mistaken. There is a root user account, it just has a random password assigned to it, so you can't use it.
That said, I see no reason why you would want to do anything like that.
Re: Disable root after sudo enable?
Posted: 24. Mar 2012, 07:51
by globetrotterdk
gapan wrote:First of all, there is no way anyone can disable the root account. You may choose not to use it, but you can't disable it. You may think that *buntu has it disabled but you're mistaken. There is a root user account, it just has a random password assigned to it, so you can't use it.
That said, I see no reason why you would want to do anything like that.
Just inquiring about the correct procedure when sudo is being used. The book "Beginning the Linux Command Line" by Sander van Vugt, seems to suggest that a good reason to use sudo is that having a root account is less secure. I am aware that there is a difference of opinion on the issue and I am just trying to figure out what is recommended within the parameters of Salix OS.
Re: Disable root after sudo enable?
Posted: 24. Mar 2012, 09:33
by gapan
If you want more than one users having access to administrative tasks, it is less secure, because every user will need to know the root user password. I don't see how it can be less secure in any other way.
You can set the user password to something terribly complex that you won't be able to remember in the next second, something like "KrofukkK!@6eyzyfeY8@I%&5deTmbd$aafFT9UEtSxoS6i5ykA". That way you will have effectively "disabled" the root user account, since you won't be able to use it (not directly anyway, as stated before there are workarounds of course - this is what *buntu does). But I don't see how that is different than just not giving the root password to every other user and choosing not to use the root user yourself.
Re: Disable root after sudo enable?
Posted: 24. Mar 2012, 11:07
by thenktor
globetrotterdk wrote:Just inquiring about the correct procedure when sudo is being used.
The correct procedure is not to use sudo
Re: Disable root after sudo enable?
Posted: 24. Mar 2012, 12:13
by Shador
gapan wrote:You can set the user password to something terribly complex that you won't be able to remember in the next second, something like "KrofukkK!@6eyzyfeY8@I%&5deTmbd$aafFT9UEtSxoS6i5ykA". That way you will have effectively "disabled" the root user account, since you won't be able to use it (not directly anyway, as stated before there are workarounds of course - this is what *buntu does). But I don't see how that is different than just not giving the root password to every other user and choosing not to use the root user yourself.
Actually you can lock or disable an account by putting '!' resp. '*' into the password field. Additionally you can replace the default shell with /bin/false.
https://administratosphere.wordpress.co ... ow-format/
Re: Disable root after sudo enable?
Posted: 25. Mar 2012, 09:24
by gapan
Still, that's pretty much the same thing. You don't disable the account, you set a non-working password. You can still get around that (and also setting the default shell) with: sudo su -s /bin/bash
Re: Disable root after sudo enable?
Posted: 25. Mar 2012, 10:24
by globetrotterdk
thenktor wrote:globetrotterdk wrote:Just inquiring about the correct procedure when sudo is being used.
The correct procedure is not to use sudo
OK, thanks
It was mentioned in the context of using the Skis 3G script, however. For reference, the thread is
here.