Jay-Shahj
asked on
SSH > New User to replace root
Hi,
Create a new root user?
User is jrs
Group is ???
Jay
Create a new root user?
User is jrs
Group is ???
Jay
Every user that have UID set to 0 is a root. But don't create such users.
Better use sudo
http://www.chinalinuxpub.com/doc/www.siliconvalleyccie.com/linux-hn/sudo.htm
Better use sudo
http://www.chinalinuxpub.com/doc/www.siliconvalleyccie.com/linux-hn/sudo.htm
ASKER
The difference being...?
> chmod 750 /bin/su
will in fact break su tool (the command will strip setuid bit from executeable)
But if You want go this way:
groupadd su
chgrp su /bin/su
chmod 04750 /bin/su
> The difference being...?
If User have uid set to 0 it acts with root privileges after logged in.
sudo allows You to restrict user to only some actions that can be performed by root. And nowadays it's the standard. It have been developed to short number of roots per system.
will in fact break su tool (the command will strip setuid bit from executeable)
But if You want go this way:
groupadd su
chgrp su /bin/su
chmod 04750 /bin/su
> The difference being...?
If User have uid set to 0 it acts with root privileges after logged in.
sudo allows You to restrict user to only some actions that can be performed by root. And nowadays it's the standard. It have been developed to short number of roots per system.
ASKER
I don't want to 'limit' commands.
I may not have made my question clear:
I was to secure my system, by disallowing direct root login (using the 'root' username), but by making another user to take over. I am the only user with root, and will ever be. It is my server.
Jay
I may not have made my question clear:
I was to secure my system, by disallowing direct root login (using the 'root' username), but by making another user to take over. I am the only user with root, and will ever be. It is my server.
Jay
I think fasted way would be to use
adduser jsr root
adduser jsr root
this adds the user jsr to the group root
ASKER
That just brings up the usage:
root@server [~]# adduser jsr root
usage: adduser [-u uid [-o]] [-g group] [-G group,...]
[-d home] [-s shell] [-c comment] [-m [-k template]]
[-f inactive] [-e expire ] [-p passwd] [-M] [-n] [-r] [-l] name
adduser -D [-g group] [-b base] [-s shell]
[-f inactive] [-e expire ]
Jay
root@server [~]# adduser jsr root
usage: adduser [-u uid [-o]] [-g group] [-G group,...]
[-d home] [-s shell] [-c comment] [-m [-k template]]
[-f inactive] [-e expire ] [-p passwd] [-M] [-n] [-r] [-l] name
adduser -D [-g group] [-b base] [-s shell]
[-f inactive] [-e expire ]
Jay
> adduser jsr root
is it working? rather: adduser -g root jsr
> I was to secure my system, by disallowing direct root login (using the 'root' username), but by making another user to take over. I am the only user with root, and will ever be. It is my server.
rename the root user then. edit /etc/passwd file and rename first user. Or
usermod -l toor root # will raname root to toor
is it working? rather: adduser -g root jsr
> I was to secure my system, by disallowing direct root login (using the 'root' username), but by making another user to take over. I am the only user with root, and will ever be. It is my server.
rename the root user then. edit /etc/passwd file and rename first user. Or
usermod -l toor root # will raname root to toor
Well that is linux version dependend, just had an ubuntu linux around.
The other linux SUSE (SLES) deals with such things with YAST
The other linux SUSE (SLES) deals with such things with YAST
ASKER
As nice as that is, WHM now locks me out.
Thus a new account, not a rename.
Jay
Thus a new account, not a rename.
Jay
what linux do you use then?
Maybe there is a check for two roots?
Please, use sudo tool. It's known to be secure and working.
TO disable root logins simply lock it's password.
Please, use sudo tool. It's known to be secure and working.
TO disable root logins simply lock it's password.
ASKER
TO disable root logins simply lock it's password.
> Needed for cPanels Web Host Manager (right?)
what linux do you use then?
> CentOS 4.5 Enterprise:
Linux server.xxxx 2.6.9-55.0.2.EL #1 Tue Jun 26 14:08:18 EDT 2007 i686 i686 i386 GNU/Linux
^If that makes any sense to you^
Please, use sudo tool>
> ok if su - fails to work & there is no solution :(
Jay
> Needed for cPanels Web Host Manager (right?)
what linux do you use then?
> CentOS 4.5 Enterprise:
Linux server.xxxx 2.6.9-55.0.2.EL #1 Tue Jun 26 14:08:18 EDT 2007 i686 i686 i386 GNU/Linux
^If that makes any sense to you^
Please, use sudo tool>
> ok if su - fails to work & there is no solution :(
Jay
could you post an
"ls -la /bin/su" here please
"ls -la /bin/su" here please
> Needed for cPanels Web Host Manager (right?)
Right.
> ok if su - fails to work & there is no solution :(
What You mean? su and sudo are different tools. Why sudo should not work? It works for everyone!
Right.
> ok if su - fails to work & there is no solution :(
What You mean? su and sudo are different tools. Why sudo should not work? It works for everyone!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"could you post an
"ls -la /bin/su" here please"
OK:
-rwsr-x--- 1 root su 61168 May 5 09:14 /bin/su*
If it helps, /bin/su was highlighted in red.
Jay
"ls -la /bin/su" here please"
OK:
-rwsr-x--- 1 root su 61168 May 5 09:14 /bin/su*
If it helps, /bin/su was highlighted in red.
Jay
> doing root stuff. That's all. Since he is the only user I see no problem in chmod 755 /bin/su. Do you?
It will strip suid bit and will not turn anybody to root.
> The user wants to ssh to a remote server not using the root account. Then doing root stuff.
That's exactly what for the sudo was implemented.
It will strip suid bit and will not turn anybody to root.
> The user wants to ssh to a remote server not using the root account. Then doing root stuff.
That's exactly what for the sudo was implemented.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes!
That is all I wanted!
Thanks,
Jay
That is all I wanted!
Thanks,
Jay
ok so there is a group called "su" that has the read&execute permissions on it.
fastest way would be to set "/bin/su" to 755
"chmod 755 /bin/su" as root
fastest way would be to set "/bin/su" to 755
"chmod 755 /bin/su" as root
ah ok....
Damn, Tolomir, chmod 755 will not work. I already explained that. Try on Your system.
I read your comment to late, sorry.
Experts-Exchange will not update itself and the mail came in to slow for your update. I had to read and check on my linux system for the right command, all taking time...
So I posted "ah ok..." to acknowledge your recommendations
Experts-Exchange will not update itself and the mail came in to slow for your update. I had to read and check on my linux system for the right command, all taking time...
So I posted "ah ok..." to acknowledge your recommendations
ASKER
It seems like the user jrs didn't have permissions to execute "su". With "chmod 755 /bin/su" you grant all users the permission to execute "/bin/su".
If that is a security problem, set permissions to "chmod 750 /bin/su" and add the user to the group "/bin/su" is assigned to."
How do I change/add the group?
Jay