![]() ![]() This results in much cleaner management of privileges.Īs a result of this, in many Debian-based systems root user has no password set - i.e. ![]() To revoke admin privileges from a person, you just need to edit the config file (or remove the user from a group which is listed in that config). It uses a config file (/etc/sudoers) which lists which users have rights to specific actions (run commands as root, etc.) When invoked, it asks for the password of the user who started it - to ensure the person at the terminal is really the same "joe" who's listed in /etc/sudoers. what's the mnemonic? Super-User-DO?) is completely different. If you need to revoke admin permissions from one of the users, you need to change root password and tell it only to those people who need to keep access - messy. If there are several users on your machine who need to run commands as root, they all need to know root password - note that it'll be the same password. So, to become root, you need to know root password. To ensure you have the rights to do that, it asks you for the password of the target user. Su (which means "substitute user" or "switch user") - does exactly that, it starts another shell instance with privileges of the target user. echo "root:newword1" | chpasswdĪctually this is looking more like the shadow file.The main difference between these commands is in the way they restrict access to their functions. ![]() (if on the command line to avoid adding to history put a space first). ![]() There are many ways but this is simplest. use rsync over SSH etc.įinal note is if you want to generate the password file shadow encrypted string in an automated shell etc try this link for more. If FTP is not as secure maybe don't use it anyway. Only thing different from way back is you can't SSH directly to root. MasterJames Lesson of the day and every day for many things is: old school was always better, changing perfection is normal but it doesn't make it right. Yes you can still su from the ssh login user after removal from the group. Actually to this point it may still be untrue since man crypt shows 'By taking the lowest 7 bits of each of the first eight characters of the key, a 56-bit key is obtained.' may still only use the first 8 chars anyway, my tests say otherwise so maybe that's another good question about password lengths. If you also double up the length of the passwords (for both accounts) other then an obvious guessable plain doubling so say 16 characters then it's pretty secure. (obviously you would preferable not need to prefix with sudo since you su'ed to root). This is probably the cleanest safest feeling way to do it meaning remove a user from the group sudo. You will see this difference in the prompt path not having changed to the tilde (aka user's home directory) vs full /home/user path of the user that just su'ed so probably less desirable then sudo su or sudo -s anyway.Īctually root still cant use SSH to login directly by default anyway so it is added security if you eventually disable the original login account from sudoers. It is added security to have a different user that has access then the hacker has to guess the username as well as a password, but you can add back root, and disable the sudoers for the still unknown account, which would be more secure with double passwords and an unknown username.Īnd to disable or lock root again passwd -l root Even though it appears sa for system administrator is no longer included in the ubuntu variant by default (apt install acct), so I guess I mean logically.Īctually I guess I am showing my age with 'sa' but never used it because at the time 'su' was a more direct approach.ĭoing 'su' directly is not possible as you need the root password but the account is disabled by default. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |