Le 14/08/2013 14:44, Darac Marjal a écrit : > On Wed, Aug 14, 2013 at 12:14:47PM +0200, François Patte wrote: >> Bonjour, >> >> For some unknown reason I did not activate the root account during the >> installation. I activated it from a user account, say John Doe. >> >> Now John Doe can become root anytime and do anything on my machine. >> >> How can I deactivate this? I have seen that John Doe is a member of >> almost all groups in /etc/group and /etc/gshadow... >> >> Is there a simple method to remove John Doe from these files and are >> there other files to modify? > Check /etc/sudoers and /etc/sudoers.d/*. If you have a line like: > %sudo ALL=(ALL:ALL) ALL > then removing John Doe from the 'sudo' group should be enough (assuming, > of course no other line allows him access). Thanks. That was my first idea and I checked this file; unfortunately, there is no mention of John Doe in the sudoers file.... That's why I checked group and gshadow files to discover that John doe was a member of many groups.... And I wonder how to correct this in one or two commands... It seems that I have to do the job group after group.... >> >> I asked a question about this inconvenience of the sudo way to activate >> root account: lightdm accepts to login root for a graphical session, I >> found a method to forbid this: add this line in /etc/pam.d/ligthdm: >> >> auth required pam_succeed_if.so user != root quiet >> >> I don't understand this "fashion": sudo and no root account.... It is >> the same under ubuntu. What for? > I believe the idea is to discourage people from logging in as root. You > can't get rid of root completely (any user with an ID of 0 is root), nor > would you want to. But there have been many a horror story of people > logging in as a super-user (either Root on Linux or Adminstrator on > Windows) for day-to-day work - perhaps to work around some permissions > issue or something. This is the responsability of every person installing an os on a computer, I don't understand why conceptors of a distro would take in charge mistakes done by users... We can all see this warning: "don't work as root on a computer"! That should be enough.
> > 'sudo' is preferred over 'su' because A) it allows for better control of > who can do what - if you want a user to be able to run 'foo' as root > without being asked for their password, you can do that B) the simple > interface (just adding one keyword before a command line) encourages > users to run JUST ONE command as root - 'su' makes it all too easy to > switch to a root shell and forget to switch back. I think that sudo system is less secure than the old system "root account". 1) Anybody with sudo root permission (as it is the case for the first person using sudo after an installation) can do "sudo bash" and he can run as many commands as he wants as root. 2) John Doe's password on the system may be cracked more easily than root's password because John Doe will certainly make internet connections and during such a connection his password can be intercepted; root on a machine has no reason to connect as root to a remote system. So anyone catching John doe password can logon as root on a system and compromise it. As for the fact that if you use su - you could forget that you have done that, but A) the prompt displays a # and not a $ B) it is easy to modify the bash prompt to make it red (for instance) for the root account. Moeover, by default on my debian install, I could see that root login through ssh is allowed: is it really the default configuration? -- François Patte UFR de mathématiques et informatique Laboratoire CNRS MAP5, UMR 8145 Université Paris Descartes 45, rue des Saints Pères F-75270 Paris Cedex 06 Tél. +33 (0)1 8394 5849 http://www.math-info.univ-paris5.fr/~patte
signature.asc
Description: OpenPGP digital signature