Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Root login in Linux - does it make sense?
Special Forums Cybersecurity Root login in Linux - does it make sense? Post 302728051 by bakunin on Wednesday 7th of November 2012 09:27:50 AM
Old 11-07-2012
Root login in Linux - does it make sense?
I stumbled upon this thread and one aspect of it got me thinking. As i am building a small Linux network right now for a friend i would like to hear your opinion on this.

Quote:
Originally Posted by Corona688
...or just not do that. Typically you'd login as a regular user then su or sudo. This restriction is for a reason.
I'd like to respectfully disagree. I think the Linux habit of disabling root login per default is wrong (not entirely good, more precisely) , based on the following reason:

It is easy to see that for private purposes, where one (or any other very small number) of systems is in play this restriction makes sense. It enhances system security and is therefore a good thing to have.

Still, apart from private usage there is the corporate usage of Linux systems. Administrating up to several hundreds of (maybe virtualized) Linux systems typically involves carrying out one command on several or all systems in parallel. If i want to know which systems have a certain package/version combination installed I'd issue some rpm-command on all systems, for instance, to find out which systems need a certain update.

To do so is basically impossible without having root access to the system directly. Yes, it would be possible to query the version information as a normal user in the example above - suppose this shows that 50 systems need a certain package to be installed. You need root to do and nobody wants to go through the motions of logging on to one system after the other, issue a "sudo su - root", enter his own password fifty times and then carry out a single command to actually install the package.

Probably every commercial Unix has provisions to make this a one-liner. In IBMs AIX (this i know best) for instance there is "dsh" (distributed shell), which is a rework of a part of the PSSP middleware introduced for the SP/2 (i can't remember when this platform was launched, probably somewhere in the beginning of the nineties).

When i install AIX systems i usually start the customization with establishing exchanged ssh-keys as a "chain of trust" with some central management system (usually my NIM-server) and then use this system to administrate the system further. Most of my work is done without directly logging on to the system but by developing and executing scripts, which use "dsh" (or even while-loops feeding some host-list into a "ssh"-command) to execute commands remotely.

So, to come back to my point "log in as normal user and 'sudo su' to root" is an advice of dubious quality IMHO. Yes, if your system is for private use or anything similar to this it is good, in a real data center it is rather less practicable.

bakunin
 

9 More Discussions You Might Find Interesting

1. Answers to Frequently Asked Questions

Lost root password / Can't login as root

We have quite a few threads about this subject. I have collected some of them and arranged them by the OS which is primarily discussed in the thread. That is because the exact procedure depends on the OS involved. What's more, since you often need to interact with the boot process, the... (0 Replies)
Discussion started by: Perderabo
0 Replies

2. Linux Benchmarks

Linux Benchmarks Makes No Sense

I created two computers with identical hardware, and run the benchmark programs in both starting at the same exact time. What makes no sense is that the computer that has the lower average index (121) finished the race a good 30 minutes ahead of the computer wich showed the higher avg index... (0 Replies)
Discussion started by: philip_38
0 Replies

3. AIX

Can't login root account due to can't find root shell

Hi, yesterday, I changed root's shell in /etc/passwd, cause a mistake then I can not log in root account (can't find correct shell). I attempted to log in single-mode, however, it prompted for single-mode's password then I type root's password but still can not log in. I'm using AIX 5L version 5.2... (2 Replies)
Discussion started by: neikel
2 Replies

4. High Performance Computing

Rocks clusters make sense for educational environments

08-18-2008 11:00 AM Cluster computing has played a pivotal role in the way research is conducted in educational environments. Because the amount of available money and hardware varies between university researchers, often it's necessary to find a clustering solution that can work well on a small... (0 Replies)
Discussion started by: Linux Bot
0 Replies

5. UNIX for Dummies Questions & Answers

a for loop that doesn't make sense

I've been referring bash info for processes and came across a structure for a process which is defined like typedef struct process { struct process *next; char ** argv . . . }process; What I don't understand is that in the program there's a for loop which goes like this job... (2 Replies)
Discussion started by: sdsd
2 Replies

6. UNIX for Dummies Questions & Answers

trying to make sense of rsync output...

I'm running the following rsync command to sync a directory between the 2 servers: rsync -az --delete --stats /some_dir/ server_name:/some_dir I'm getting the following output: Number of files: 655174 Number of files transferred: 14221 Total file size: 1138531979331 bytes Total... (0 Replies)
Discussion started by: GKnight
0 Replies

7. UNIX for Advanced & Expert Users

sar -d output... does not make sense

Can someone explain the correlation between how sar names the disk drives and how the rest of the OS names the disk drives? sar lists my disk drives as sd0, sd1, sd2, etc..... while format lists my disk drives as c1t0d0, c1t1d0, c1t2d0,etc... And also why sar shows 8 disks but format... (2 Replies)
Discussion started by: s ladd
2 Replies

8. Red Hat

How to make a Password-Less Login from Windows to Linux using OpenSSH?

I installed the OpenSSH on my Windows Machine. I want to connect to the remote Linux machine without typing password. I followed the bellow instructions but the SSH needs password to establish the connection yet. Open CMD and run: ssh-keygen -t rsa (The public and private keys are generated in... (1 Reply)
Discussion started by: manoj.solaris
1 Replies

9. Red Hat

Does it make sense to reduce the total shared memory

We have several dozen Redhat 5, 6 and 7 servers that are running Oracle databases. On some databases we are using automatic memory management, which uses shared memory. On other databases we are use manual memory management, which does not use shared memory. When I see that a server is swapping... (2 Replies)
Discussion started by: gandolf989
2 Replies

LEARN ABOUT DEBIAN

csp_mkdircp

csp_helper(1)							  USER COMMANDS 						     csp_helper(1)

  NAME
      csp_helper - A collection of caspar helper scripts

  SYNOPSIS
      csp_install dir (directory) file (file)

      csp_mkdircp dir (directory) file (file)

      csp_scp_keep_mode h ([user@]host) dir (directory) file (file)

      csp_sucp h ([user@]host) dir (directory) file (file)

  DESCRIPTION
      The  scripts  csp_install,  csp_mkdircp,	csp_scp_keep_mode  and csp_sucp are helpers for caspar(7). These scripts typically are not invoked
      directly, but via a Makefile which uses caspar. See the notes on	csp_PUSH  in  caspar(7)  for  information  on  how  to	link  csp_install,
      csp_scp_keep_mode and csp_sucp to caspar.

  install DESCRIPTION
      csp_install creates the required directory (if needed) and installs the file, preserving timestamps. It uses install(1).

  install EXAMPLES
       csp_INSTALL_OPTIONS='--owner=www-data --group=www-data' 
	csp_INSTALL_MODE=ugo=r 
	csp_install /srv/www index.html

       csp_INSTALL_MODE=u=rwx,go= csp_install /usr/local/sbin mkpasswd

  install ENVIRONMENT
      csp_install honors csp_INSTALL_OPTIONS and csp_INSTALL_MODE (default is u=rw,go=r).

  mkdircp DESCRIPTION
      csp_mkdircp calls mkdir(1) and cp(1).

  scp_keep_mode DESCRIPTION
      csp_scp_keep_mode  uses  ssh to copy a file to a remote host, keeping its file permission mode. The trick used is a combination of mktemp(1)
      and mv(1).  Useful if you'd like to be sure a file gets installed e.g. group writable, without fiddling with permission bits on  the  remote
      host.

  scp_keep_mode EXAMPLE
	chmod g+w rc
	csp_scp_keep_mode root@gandalf /etc/uruk rc

  scp_keep_mode ENVIRONMENT
      csp_scp_keep_mode honors csp_SSH ("ssh" by default).

  sucp DESCRIPTION
      csp_sucp calls cat(1) from within sudo(1) from within ssh(1). This allows one to copy files to accounts on hosts one can only reach by call-
      ing sudo on the ssh-reachable remote host.

      Typically, one wants to install a root-owned file, but one does not want to allow access to the root-account directly  from  ssh.  Typically
      sudo is used as an extra line of defense.

  sucp EXAMPLES
      Some examples:

	csp_sucp rms@bilbo /etc fstab

	csp_sucp monty-python commit/ trailer.txt

  sucp BUGS
      If  NOPASSWD  is	not  set in the sudoers(5) file, and one's timestamp is expired, csp_sucp will forward the sudo password prompt. The given
      password will be echoed on the console!

  AUTHOR
      Joost van Baal-Ili

  SEE ALSO
      caspar(7) The caspar homepage is at http://mdcc.cx/caspar/ .

  csp_helper 20120514						      14 mai 2012						       csp_helper(1)
All times are GMT -4. The time now is 10:14 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy