I stumbled upon
this thread and one aspect of it got me thinking. As i am building a small Linux network right now for a friend i would like to hear your opinion on this.
Quote:
Originally Posted by
Corona688
...or just not do that. Typically you'd login as a regular user then su or sudo. This restriction is for a reason.
I'd like to respectfully disagree. I think the Linux habit of disabling root login per default is wrong (
not entirely good, more precisely) , based on the following reason:
It is easy to see that for
private purposes, where one (or any other very small number) of systems is in play this restriction makes sense. It enhances system security and is therefore a good thing to have.
Still, apart from private usage there is the corporate usage of Linux systems. Administrating up to several hundreds of (maybe virtualized) Linux systems typically involves carrying out one command on several or all systems in parallel. If i want to know which systems have a certain package/version combination installed I'd issue some rpm-command on all systems, for instance, to find out which systems need a certain update.
To do so is basically impossible without having root access to the system directly. Yes, it would be possible to query the version information as a normal user in the example above - suppose this shows that 50 systems need a certain package to be installed. You need root to do and nobody wants to go through the motions of logging on to one system after the other, issue a "sudo su - root", enter his own password fifty times and then carry out a single command to actually install the package.
Probably every commercial Unix has provisions to make this a one-liner. In IBMs AIX (this i know best) for instance there is "dsh" (distributed shell), which is a rework of a part of the PSSP middleware introduced for the SP/2 (i can't remember when this platform was launched, probably somewhere in the beginning of the nineties).
When i install AIX systems i usually start the customization with establishing exchanged ssh-keys as a "chain of trust" with some central management system (usually my NIM-server) and then use this system to administrate the system further. Most of my work is done without directly logging on to the system but by developing and executing scripts, which use "dsh" (or even while-loops feeding some host-list into a "ssh"-command) to execute commands remotely.
So, to come back to my point "log in as normal user and 'sudo su' to root" is an advice of dubious quality IMHO. Yes, if your system is for private use or anything similar to this it is good, in a real data center it is rather less practicable.
bakunin
