Learning Linux
-
su should not be asking for the root password either. That's not normal behaviour.
-
@Dashrender said:
I can definitely see its strengths when needing to provide root level access to limited functions, but in my case I'm the only person who will likely ever run anything on this server, at least directly.
But since sudo is all about protecting the system from YOU the fact that you are a one man shop really doesn't make it any less important, right? Sudo is about preventing mistakes, it has nothing to do with multiple users.
-
How you set up sudo is determined by the OS that you are running. It is not generic. What OS do you have?
-
@scottalanmiller said:
su should not be asking for the root password either. That's not normal behaviour.
Please explain. As I understand it (linux noob here) su is used to run as root where your normal account doesn't have the needed permissions.
Are you implying that I should have it set some way that when invoking su my user already has permission to do so and therefore isn't verified via the password for root?
-
I'm building an ELK stack on CentOS 7.
-
@Dashrender said:
Please explain. As I understand it (linux noob here) su is used to run as root where your normal account doesn't have the needed permissions.
su = switch user, it allows you to BECOME the other user by changing into that account. Analogous to quickly logging out and back in.
sudo = run a command as another user, analogous to Windows "Run As Administrator". It's so that you can run a single command with elevated privileges and not have the entire account be a root level shell. So you don't run things as root accidentally.
-
@Dashrender said:
Are you implying that I should have it set some way that when invoking su my user already has permission to do so and therefore isn't verified via the password for root?
Correct, in reality to get to su you should be using sudo such as....
sudo -i su -
what prevents a rouge program that's running as me from doing that very thing and gaining root access since they don't have to type in a password?
-
@Dashrender said:
I'm building an ELK stack on CentOS 7.
The all you do is add your user to the "wheel" group. Wheel is the name of the administrators group. Has been in UNIX since the days of yore.
Then in the /etc/sudoers file you just uncomment the field that allows WHEEL access to ROOT with NOPASSWD.
-
@scottalanmiller said:
@Dashrender said:
I'm building an ELK stack on CentOS 7.
The all you do is add your user to the "wheel" group. Wheel is the name of the administrators group. Has been in UNIX since the days of yore.
Then in the /etc/sudoers file you just uncomment the field that allows WHEEL access to ROOT with NOPASSWD.
Thanks for that explanation - much better than just adding my name to the sudoers file - but I'm still wondering about the virus/malware protection.
-
@Dashrender said:
Thanks for that explanation - much better than just adding my name to the sudoers file
Yes, that really should not happen. Not realistically.
-
@Dashrender said:
but I'm still wondering about the virus/malware protection.
Don't go around browsing websites from your server. Problem solved
-
With User Account Control in Windows, if my user has local admin rights, I still get prompted (normally) so even if some malware is trying to run, if I get an unexpected prompt I should be wary and most likely deny the access.
Does something like that apply here? in a non gui, I'm not sure how it could. I'm probably over thinking it. In a CLI the only things that are running are those that I type.
As for someone gaining access to my account, I guess I just need to make sure I have a good password.
-
@Dashrender said:
With User Account Control in Windows, if my user has local admin rights, I still get prompted (normally) so even if some malware is trying to run, if I get an unexpected prompt I should be wary and most likely deny the access.
In Linux it will just fail, doesn't even prompt you.
-
@Dashrender said:
Does something like that apply here? in a non gui, I'm not sure how it could. I'm probably over thinking it. In a CLI the only things that are running are those that I type.
This is what sudo does. It's just proactive instead of reactive.
-
@Dashrender said:
As for someone gaining access to my account, I guess I just need to make sure I have a good password.
Or use a key. Or a key plus a password. Or add another for of two or even three factor authentication.
-
Make sure you are running fail2ban.
-
awesome, thanks...
-
Had to be done
-
