Root login in Linux - does it make sense? Post: 302728539

Sponsored Content

Special Forums Cybersecurity Root login in Linux - does it make sense? Post 302728539 by bakunin on Thursday 8th of November 2012 03:54:46 AM

11-08-2012

Registered User

Quote:

Originally Posted by Corona688

That's what sudo's for -- it gives you the same thing in a less blunt, more careful way.[...]

I have one sudo-enabled user that I use for administrative things. So you're left with the enormous hassle of 5 extra keystrokes per command.

Fair enough. If i understand you correctly this would mean to roll out a single command on my management station might look like this:

Code:

while read WORKHOST ; do
     ssh someuser@${WORKHOST} "sudo su - root -c command"
done < /path/to/hostlist

with someuser being allowed to "su" to root without being asked for a password.

If so: what is the gain of having someuser login and switch to root without further authorization to having root log on directly? It is clear that this just transfers the "risk" from one user to the other.

There is one conceivable point for doing it this way and this is: if a host is under constant attack from bots then these bots will most likely try only "root" because the name of this user account is known. One can use any other non-default name for the "sudo-root-user" and the bots will not even try this name.

This is a valid argument but it is a predicament probably only a very few select systems are in. In most corporate networks this sort of attack is already stopped at the networks entry point.

bakunin

bakunin

View Public Profile for bakunin

Find all posts by bakunin

9 More Discussions You Might Find Interesting

1. Answers to Frequently Asked Questions

Lost root password / Can't login as root

We have quite a few threads about this subject. I have collected some of them and arranged them by the OS which is primarily discussed in the thread. That is because the exact procedure depends on the OS involved. What's more, since you often need to interact with the boot process, the...

2. Linux Benchmarks

Linux Benchmarks Makes No Sense

I created two computers with identical hardware, and run the benchmark programs in both starting at the same exact time. What makes no sense is that the computer that has the lower average index (121) finished the race a good 30 minutes ahead of the computer wich showed the higher avg index...

3. AIX

Can't login root account due to can't find root shell

Hi, yesterday, I changed root's shell in /etc/passwd, cause a mistake then I can not log in root account (can't find correct shell). I attempted to log in single-mode, however, it prompted for single-mode's password then I type root's password but still can not log in. I'm using AIX 5L version 5.2...

4. High Performance Computing

Rocks clusters make sense for educational environments

08-18-2008 11:00 AM Cluster computing has played a pivotal role in the way research is conducted in educational environments. Because the amount of available money and hardware varies between university researchers, often it's necessary to find a clustering solution that can work well on a small...

5. UNIX for Dummies Questions & Answers

a for loop that doesn't make sense

I've been referring bash info for processes and came across a structure for a process which is defined like typedef struct process { struct process *next; char ** argv . . . }process; What I don't understand is that in the program there's a for loop which goes like this job...

6. UNIX for Dummies Questions & Answers

trying to make sense of rsync output...

I'm running the following rsync command to sync a directory between the 2 servers: rsync -az --delete --stats /some_dir/ server_name:/some_dir I'm getting the following output: Number of files: 655174 Number of files transferred: 14221 Total file size: 1138531979331 bytes Total...

7. UNIX for Advanced & Expert Users

sar -d output... does not make sense

Can someone explain the correlation between how sar names the disk drives and how the rest of the OS names the disk drives? sar lists my disk drives as sd0, sd1, sd2, etc..... while format lists my disk drives as c1t0d0, c1t1d0, c1t2d0,etc... And also why sar shows 8 disks but format...

8. Red Hat

How to make a Password-Less Login from Windows to Linux using OpenSSH?

I installed the OpenSSH on my Windows Machine. I want to connect to the remote Linux machine without typing password. I followed the bellow instructions but the SSH needs password to establish the connection yet. Open CMD and run: ssh-keygen -t rsa (The public and private keys are generated in...

9. Red Hat

Does it make sense to reduce the total shared memory

We have several dozen Redhat 5, 6 and 7 servers that are running Oracle databases. On some databases we are using automatic memory management, which uses shared memory. On other databases we are use manual memory management, which does not use shared memory. When I see that a server is swapping...

LEARN ABOUT DEBIAN

gksu

GKSU(1) 							   User Commands							   GKSU(1)

NAME

       gksu - GTK+ frontend for su and sudo

SYNOPSIS

       gksu

       gksu [-u <user>] [options] <command>

       gksudo [-u <user>] [options] <command>

DESCRIPTION

       This manual page documents briefly gksu and gksudo

       gksu  is  a frontend to su and gksudo is a frontend to sudo.  Their primary purpose is to run graphical commands that need root without the
       need to run an X terminal emulator and using su directly.

       Notice that all the magic is done by the underlying library, libgksu. Also notice that the library will decide if it should use su or  sudo
       as  backend  using the /apps/gksu/sudo-mode gconf key, if you call the gksu command. You can force the backend by using the gksudo command,
       or by using the --sudo-mode and --su-mode options.

       If no command is given, the gksu program will display a small window that allows you to type in a command to be run,  and  to  select  what
       user the program should be run as. The other options are disregarded, right now, in this mode.

OPTIONS

       --debug, -d

	      Print information on the screen that might be useful for diagnosing and/or solving problems.

       --user <user>, -u <user>

	      Call <command> as the specified user.

       --disable-grab, -g

	      Disable the "locking" of the keyboard, mouse, and focus done by the program when asking for password.

       --prompt, -P

	      Ask the user if they want to have their keyboard and mouse grabbed before doing so.

       --preserve-env, -k

	      Preserve the current environments, does not set $HOME nor $PATH, for example.

       --login, -l

	      Make  this  a login shell. Beware this may cause problems with the Xauthority magic. Run xhost to allow the target user to open win-
	      dows on your display!

       --description <description|file>, -D <description|file>

	      Provide a descriptive name for the command to be used in the default message, making it nicer.  You can also  provide  the  absolute
	      path for a .desktop file. The Name key for will be used in this case.

       --message <message>, -m <message>

	      Replace  the  standard message shown to ask for password for the argument passed to the option.  Only use this if --description does
	      not suffice.

       --print-pass, -p

	      Ask gksu to print the password to stdout, just like ssh-askpass. Useful to use in scripts with programs that  accept  receiving  the
	      password on stdin.

       --su-mode, -w

	      Force gksu to use su(1) as its backend for running the programs.

       --sudo-mode, -S

	      Force gksu to use sudo(1) as its backend for running the programs.

SEE ALSO

       su(1), sudo(1)

gksu version 2.0.x						    August 2006 							   GKSU(1)