Difference between revisions of "Disable root password and gain su sudo with no password"

From ArchWiki
Jump to: navigation, search
 
Line 1: Line 1:
 
 
===Why:===
 
===Why:===
  
Line 12: Line 11:
 
  <b>1.1</b> add \"<user> <machine_name/ALL>=(ALL) ALL\" to /etc/sudoers - must use visudo to edit. example (type visudo at bash prompt and edit - the command <b>s</b> will start edit mode of vi, <b>Esc</b> will end it<b>:wq</b> will save the file and quit, while <b>:q</b> will just quit visudo):
 
  <b>1.1</b> add \"<user> <machine_name/ALL>=(ALL) ALL\" to /etc/sudoers - must use visudo to edit. example (type visudo at bash prompt and edit - the command <b>s</b> will start edit mode of vi, <b>Esc</b> will end it<b>:wq</b> will save the file and quit, while <b>:q</b> will just quit visudo):
  
  <verbatim>
+
  <pre>
 
     > visudo
 
     > visudo
 
   #allow user ziggy sudo from local machine only (my''machine''name = HOSTNAME in rc.conf):
 
   #allow user ziggy sudo from local machine only (my''machine''name = HOSTNAME in rc.conf):
Line 18: Line 17:
 
   #allow user arch sudo from anywhere (local/net):
 
   #allow user arch sudo from anywhere (local/net):
 
   arch    ALL=(ALL) ALL
 
   arch    ALL=(ALL) ALL
  </verbatim>
+
  </pre>
  
 
<b>2. disable root and gain su/sudo with no password : </b>
 
<b>2. disable root and gain su/sudo with no password : </b>
Line 24: Line 23:
 
  <b>2.1</b> add group 'wheel' to installed accounts:
 
  <b>2.1</b> add group 'wheel' to installed accounts:
  
  <verbatim>
+
  <pre>
 
       gpasswd -a <username> wheel
 
       gpasswd -a <username> wheel
  </verbatim>
+
  </pre>
  
 
  <b>2.2</b> allow members of 'wheel' group to use su (it will be passwordless since root will be disabled) by adding the following line to <b>both</b> /etc/pam.d/su & /etc/pam.d/sudo :
 
  <b>2.2</b> allow members of 'wheel' group to use su (it will be passwordless since root will be disabled) by adding the following line to <b>both</b> /etc/pam.d/su & /etc/pam.d/sudo :
  
  <verbatim>
+
  <pre>
 
       auth          sufficient      pam''wheel.so trust use''uid
 
       auth          sufficient      pam''wheel.so trust use''uid
  </verbatim>
+
  </pre>
  
 
  <b>2.3</b> to allow wheel users login via local <b>only</b>, add the following line to /etc/security/access.conf :
 
  <b>2.3</b> to allow wheel users login via local <b>only</b>, add the following line to /etc/security/access.conf :
  
  <verbatim>
+
  <pre>
 
       -:wheel:ALL EXCEPT LOCAL
 
       -:wheel:ALL EXCEPT LOCAL
  </verbatim>
+
  </pre>
  
 
  <b>2.4</b> disable the root account by removing it's password.
 
  <b>2.4</b> disable the root account by removing it's password.
  
  <verbatim>
+
  <pre>
 
       passwd -l root
 
       passwd -l root
  </verbatim>
+
  </pre>
  
 
  <b>3.</b> if you ever need to reacitvate root, just run
 
  <b>3.</b> if you ever need to reacitvate root, just run
  
  <verbatim>
+
  <pre>
 
     sudo passwd root
 
     sudo passwd root
  </verbatim>
+
  </pre>
  
 
thats it. enjoy your new passwordless root :)
 
thats it. enjoy your new passwordless root :)

Revision as of 20:29, 23 July 2005

Why:

  1. user password strength is same as root's password, and one must 1st login in-order to use su/sudo
  2. root password will be disabled - thus anyone who will try login using root user will get denied... this will require anyone who wants to login to be familiar with the user name prior, which gives further security strength.
  3. once local security is compromised, a root password is meaningless if a live-cd (etc) is in hands, or as a wise user added - a baseball bat...

How:

1. allow user to sudo :

1.1 add \"<user> <machine_name/ALL>=(ALL) ALL\" to /etc/sudoers - must use visudo to edit. example (type visudo at bash prompt and edit - the command s will start edit mode of vi, Esc will end it:wq will save the file and quit, while :q will just quit visudo):
    > visudo
   #allow user ziggy sudo from local machine only (my''machine''name = HOSTNAME in rc.conf):
   ziggy   my''machine''name=(ALL) ALL
   #allow user arch sudo from anywhere (local/net):
   arch    ALL=(ALL) ALL
 

2. disable root and gain su/sudo with no password :

2.1 add group 'wheel' to installed accounts:
      gpasswd -a <username> wheel
 
2.2 allow members of 'wheel' group to use su (it will be passwordless since root will be disabled) by adding the following line to both /etc/pam.d/su & /etc/pam.d/sudo :
      auth           sufficient      pam''wheel.so trust use''uid
 
2.3 to allow wheel users login via local only, add the following line to /etc/security/access.conf :
      -:wheel:ALL EXCEPT LOCAL
 
2.4 disable the root account by removing it's password.
      passwd -l root
 
3. if you ever need to reacitvate root, just run
     sudo passwd root
 

thats it. enjoy your new passwordless root :)