?
Solved

SSH > New User to replace root

Posted on 2007-07-25
25
Medium Priority
?
391 Views
Last Modified: 2008-02-01
Hi,

Create a new root user?

User is jrs
Group is ???

Jay
0
Comment
Question by:Jay-Shahj
  • 9
  • 8
  • 8
25 Comments
 
LVL 4

Author Comment

by:Jay-Shahj
ID: 19564420
"Tolomir:
It seems like the user jrs didn't have permissions to execute "su". With "chmod 755 /bin/su" you grant all users the permission to execute "/bin/su".

If that is a security problem, set permissions to "chmod 750 /bin/su" and add the user to the group "/bin/su" is assigned to."

How do I change/add the group?

Jay
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 19564435
Every user that have UID set to 0 is a root. But don't create such users.
Better use sudo
http://www.chinalinuxpub.com/doc/www.siliconvalleyccie.com/linux-hn/sudo.htm
0
 
LVL 4

Author Comment

by:Jay-Shahj
ID: 19564443
The difference being...?
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
LVL 43

Expert Comment

by:ravenpl
ID: 19564462
> chmod 750 /bin/su
will in fact break su tool (the command will strip setuid bit from executeable)
But if You want go this way:
groupadd su
chgrp su /bin/su
chmod 04750 /bin/su

> The difference being...?
If User have uid set to 0 it acts with root privileges after logged in.

sudo allows You to restrict user to only some actions that can be performed by root. And nowadays it's the standard. It have been developed to short number of roots per system.
0
 
LVL 4

Author Comment

by:Jay-Shahj
ID: 19564483
I don't want to 'limit' commands.

I may not have made my question clear:

I was to secure my system, by disallowing direct root login (using the 'root' username), but by making another user to take over. I am the only user with root, and will ever be. It is my server.

Jay
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 19564502
I think fasted way would be to use

adduser jsr root
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 19564514
this adds the user jsr to the group root
0
 
LVL 4

Author Comment

by:Jay-Shahj
ID: 19564520
That just brings up the usage:

root@server [~]# adduser jsr root
usage: adduser  [-u uid [-o]] [-g group] [-G group,...]
                [-d home] [-s shell] [-c comment] [-m [-k template]]
                [-f inactive] [-e expire ] [-p passwd] [-M] [-n] [-r] [-l] name
       adduser  -D [-g group] [-b base] [-s shell]
                [-f inactive] [-e expire ]


Jay
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 19564543
> adduser jsr root
is it working? rather: adduser -g root jsr

> I was to secure my system, by disallowing direct root login (using the 'root' username), but by making another user to take over. I am the only user with root, and will ever be. It is my server.

rename the root user then. edit /etc/passwd file and rename first user. Or
usermod -l toor root # will raname root to toor
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 19564574
Well that is linux version dependend, just had an ubuntu linux around.

The other linux SUSE (SLES) deals with such things with YAST
0
 
LVL 4

Author Comment

by:Jay-Shahj
ID: 19564575
As nice as that is, WHM now locks me out.

Thus a new account, not a rename.

Jay
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 19564585
what linux do you use then?
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 19564589
Maybe there is a check for two roots?

Please, use sudo tool. It's known to be secure and working.
TO disable root logins simply lock it's password.
0
 
LVL 4

Author Comment

by:Jay-Shahj
ID: 19564609
TO disable root logins simply lock it's password.
 > Needed for cPanels Web Host Manager (right?)

what linux do you use then?
 > CentOS 4.5 Enterprise:
Linux server.xxxx 2.6.9-55.0.2.EL #1 Tue Jun 26 14:08:18 EDT 2007 i686 i686 i386 GNU/Linux
^If that makes any sense to you^

Please, use sudo tool>
 > ok if su - fails to work & there is no solution :(

Jay
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 19564632
could you post an

"ls -la /bin/su" here please
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 19564633
> Needed for cPanels Web Host Manager (right?)
Right.

> ok if su - fails to work & there is no solution :(
What You mean? su and sudo are different tools. Why sudo should not work? It works for everyone!
0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 600 total points
ID: 19564682
Hello ravenpl this is the original question:

http://www.experts-exchange.com/Security/Misc/Q_22719418.html

The user wants to ssh to a remote server not using the root account.

So he wants to

ssh jsr@remote-server
su -

doing root stuff. That's all. Since he is the only user I see no problem in chmod 755 /bin/su. Do you?

Tolomir
0
 
LVL 4

Author Comment

by:Jay-Shahj
ID: 19564696
"could you post an

"ls -la /bin/su" here please"

OK:

-rwsr-x---  1 root su 61168 May  5 09:14 /bin/su*

If it helps, /bin/su was highlighted in red.

Jay
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 19564730
> doing root stuff. That's all. Since he is the only user I see no problem in chmod 755 /bin/su. Do you?
It will strip suid bit and will not turn anybody to root.

> The user wants to ssh to a remote server not using the root account. Then doing root stuff.
That's exactly what for the sudo was implemented.
0
 
LVL 43

Accepted Solution

by:
ravenpl earned 1400 total points
ID: 19564745
But if You want go the su way

usermod -G su jsr # will add jsr to su group and therefore jsr will be able to run su tool
0
 
LVL 4

Author Comment

by:Jay-Shahj
ID: 19564765
Yes!

That is all I wanted!

Thanks,

Jay
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 19564768
ok so there is a group called "su" that has the read&execute permissions on it.

fastest way would be to set "/bin/su" to 755

"chmod 755 /bin/su" as root
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 19564777
ah ok....
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 19564797
Damn, Tolomir, chmod 755 will not work. I already explained that. Try on Your system.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 19564849
I read your comment to late, sorry.

Experts-Exchange will not update itself and the mail came in to slow for your update. I had to read and check on my linux system for the right command, all taking time...

So I posted "ah ok..." to acknowledge your recommendations

0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question