Difference between revisions of "Disable root password and gain su sudo with no password"
m (→Alternatif method of disabling root)
|Line 5:||Line 5:|
Revision as of 16:44, 13 February 2009
Arch Linux is not fine tuned to work with a disabled root account. You will most likely run into problems if you don't know exactly what you're doing. Additional, the developers feel that disabling the root account entirely is stupid.
If your sudo settings break you won't be able to use the root account on your box. When using a remote or headless machine, this can be something of a pain to fix.
- User password strength is equal to root's password, and one must first login to use sudo.
- Root password will be disabled -- anyone trying to log in as root will be denied. Anyone wanting to access the machine must first know the correct username.
- Once local security is compromised the root password is meaningless -- a LiveCD is a perfect backdoor.
You'll need "sudo" installed. You can grab it from pacman:
# pacman -S sudo
You should always use visudo to edit the sudoers file since visudo performs some checks to ensure that the edited file remains valid. Type visudo at a root prompt and edit. The command i will start edit mode in vi, Esc will end it, :wq will save the file and quit, while :q! will quit without saving.
If you are uncomfortable with vi, you can use nano instead.
# export EDITOR=nano; visudo
Allow user ziggy sudo from local machine only using HOSTNAME in rc.conf:
ziggy <hostname>=(ALL) ALL
Allow user arch sudo from anywhere (local/net):
arch ALL=(ALL) ALL
Allow group wheel sudo access requiring no password:
%wheel ALL=(ALL) NOPASSWD: ALL
Don't forget to add the desired users to any groups with sudo abilities.
# gpasswd -a username group
Note that it is perfectly valid to mix-and-match these options to create a more custom sudo environment. For more complete information on the capabilities of the sudoers file, visit http://www.gratisoft.us/sudo/man/sudoers.html.
To allow wheel users login via local only, add the following line to /etc/security/access.conf:
-:wheel:ALL EXCEPT LOCAL
Test the user's sudo abilities, then disable the root account by removing its password.
# passwd -l root
A similar command unlocks root.
$ sudo passwd -u root
That's it. You should have a newly-disabled root.
Alternative method of disabling root
Edit your /etc/shadow.
$ sudo vipw -s
Then replacing root's encrypted password with !. The full line will look something like:
It would let us to run package's installer script that need to add/remove new user/group in our system (gpasswd things) when you use pacman. It impossible to achieve if you lock the root by using 'passwd -u root'.
To enable root login again:
$ sudo passwd root
KDE - kdesu
kdesu may be used under KDE to launch GUI applications with root privileges. It is possible that by default kdesu will try to use su even if the root account is disabled. Fortunately we can tell kdesu to use sudo instead of su.
There are two ways to do so:
- Recompile kdebase with '--with-sudo-kdesu-backend' configure switch.
- Create a kdesurc file in '/usr/share/config/' with the following: