Disable root password and gain su sudo with no password

From ArchWiki

Jump to: navigation, search
Image:Tango-emblem-important.png The factual accuracy of this article is disputed.
Please cite the origin of the disputed facts or remove anything that is unverifiable. (Discuss)
i18n
English
Français

Contents

[edit] Caution:

If your sudo settings are screwed up (pacman, other things) for some reason, you wont be able to use the root account on your box. This will really a big pain in headless/remote systems you are administrating. This is more likely to happen than your root password being compromised.

[edit] Why:

  1. User password strength is same as root's password, and one must 1st login in-order to use su/sudo.
  2. Root password will be disabled - thus anyone who will try login using root user will get denied... this will require anyone who wants to login to be familiar with the user name prior, which gives further security strength.
  3. Once local security is compromised, a root password is meaningless if a live-cd (etc) is in hands, or as a wise user added - a baseball bat...

[edit] Requirements:

You'll need "sudo" installed. You can grab it from pacman: 

# pacman -S sudo

[edit] How:

1. Allow user to sudo:

1.1 Add "<user> <machine_name/ALL>=(ALL) ALL" to /etc/sudoers. You should always use visudo to edit the sudoers file, since visudo performs some checks to ensure that the edited file is valid. (Type visudo at a root prompt and edit. The command i will start edit mode of vi, Esc will end it, :wq will save the file and quit, while :q will quit visudo).

If you are uncomfortable with vi, you can "export EDITOR=nano; visudo" 

   > visudo
   #allow user ziggy sudo from local machine only (my_machine_name = HOSTNAME in rc.conf and NOT localhost):
   ziggy   my_machine_name=(ALL) ALL
   #allow user arch sudo from anywhere (local/net):
   arch    ALL=(ALL) ALL

1.2 If you didn't use visudo, you will need to CHMOD /etc/sudoers to 0440 

chmod 0440 /etc/sudoers

2. Disable root and gain su/sudo with no password:

2.1 add group 'wheel' to installed accounts: 

      gpasswd -a <username> wheel

2.2 Allow members of 'wheel' group to use sudo (it will be passwordless since root will be disabled) by adding the following line to /etc/pam.d/sudo: 

      auth           sufficient      pam_wheel.so trust use_uid

2.3 to allow wheel users login via local only, add the following line to /etc/security/access.conf : 

      -:wheel:ALL EXCEPT LOCAL

2.4 Test it, then disable the root account by removing it's password. 

      passwd -l root

3. if you ever need to reacitvate root, just run 

     sudo passwd root

Thats it. Enjoy your new passwordless root. :)


3. For Kde users, make kdesu use sudo :


Tips extracted from http://bugs.kde.org/show_bug.cgi?id=20914#c24


kdesu may be used under kde to launch GUI applications with root privileges. By default kdesu uses su. As the root password has been deactivated, su will fail. Fortunately we can tell kdesu to use sudo instead of su. There are two ways to do so :


3.1 Recompile kdebase with '--with-sudo-kdesu-backend' configure switch.


3.2 Create a kdesurc file in '/opt/kde/share/config/' with the following : 

    [super-user-command]
    super-user-command=sudo
Retrieved from "http://wiki.archlinux.org/index.php/Disable_root_password_and_gain_su_sudo_with_no_password"
Personal tools