Most of my Linux students always question about Ubuntu's root password. "It is not comfortable, it is unnecessary", and many more excuses. That led me to start changings in my Linux study-pack, in User Administration chapter.
Why ?
Definitively, it is really dangerous to use any OS with an administrative account. At any moment, you can be called to do something else, or for a phone call, or even something that only you can do (and since you work with computers, you ALWAYS forget to do!!!).
Anyway, if this happen, and you need to leave the workstation, maybe you are not editing a file or doing something more complex, or you are doing one of those heavy duties. If you aren't involved with this, that's okay.
If you are, you will either remember to lock your graphic desktop (or CLI environment) or not. If you remember, that's okay.
If you don't, someone else can do anything as the administrator. This is really unwanted. And worst, commands issued are not logged. Some of them may write something. But not them all.
One more thing, and I really dislike this: I do not want to give away root permission to my team. Root password (when exists) should be known by few members, all of them with administrative corporative responsibilities.
SUDO
Ubuntu Server root account has no valid password, by default. Since this is the only account common to all Linux distro, nobody will be able to access it. Since it is needed to know an account, system gets little bit less unsafe.
“sudo” allows a user to execute commands as any other, mostly administrative commands. At first, the user created at install time is included in this "administrative staff". This user can do anything with sudo, as root. The configuration file is /etc/sudoers. This is written upon Karmic Koala (Ubuntu 9.10).
Including an Administrative account
If I want to include Thomas Martin (let's suppose his account is tmartin) as an administrative user, all I have to do is to add him to "admin" group:
sudo adduser tmartin admin
From now on, he can do anything as root. But, whatever he does will be registered in /var/log/auth.log. Watch this example from user "teste":
Nov 13 21:55:14 fw-tosh sudo: teste : TTY=tty1 ; PWD=/home/teste ;
USER=root ; COMMAND=/usr/bin/aptitude install vim
He installed (or tried to install) vim in Nov 13, at 21:55, in TTY1, he was in his home directory when issued this command, and it ran with "root" id We can also see that this happened in “fw-tosh” host.
What this line does not tells me is if his operation was well succeeded or not. But there are other log files, such as /var/log/dpkg.log that really help.
No comments:
Post a Comment