<div dir="ltr">That's pretty much the basic "root can't login" variant. Login as normal user, become root, and off you go. It is far more secure than having an exposed root, but the advantage of sudo is granularity. This has been attempted in various ways through the years. Sun's RBAC was fun, each "role" being a non-loginable user that you became to run the limited commands it was allowed. I prefer sudo, where I can specify exactly the commands each person can run.<div>
<br></div><div>The thing about security, is that anyone with much experience knows that root is a state of mind. It's a tradeoff between difficulty in using and difficulty in bypassing.</div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Tue, Jun 10, 2014 at 8:38 AM, <span dir="ltr"><<a href="mailto:techlists@phpcoderusa.com" target="_blank">techlists@phpcoderusa.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
I was taught to use a two layer login and sudo. The first user can login to SSH and is not sudo. The second user is sudo and cannot log in. I was told long ago this was a way to protect the system.<div><div class="h5">
<br>
<br>
<br>
On 2014-06-10 02:16, Michael Havens wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
however, in my notes I and add a line like this:<br>
<br>
%sudo ALL=(ALL) NOPASSWD: ALL<br>
<br>
and then add my user to the sudo group.<br>
What does the percent sign mean? does it indicate the next string of<br>
characters is the name of a group?<br>
<br>
:-)~MIKE~(-:<br>
<br>
On Mon, Jun 9, 2014 at 9:41 PM, Michael Havens <<a href="mailto:bmike1@gmail.com" target="_blank">bmike1@gmail.com</a>><br>
wrote:<br>
<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
how embarrasing! I already wrote myself notes on how to do this.....<br>
sorry to waste the brain power with my taxing question. lol<br>
<br>
:-)~MIKE~(-:<br>
<br>
On Mon, Jun 9, 2014 at 4:31 PM, Michael Havens <<a href="mailto:bmike1@gmail.com" target="_blank">bmike1@gmail.com</a>><br>
wrote:<br>
<br>
Why is the format so different? Meaning the examples I have to look<br>
at are 'ALL=(ALL:ALL) ALL' but the way the computer accepts it is<br>
without the parentheses and withot the cast three characters. <br>
<br>
:-)~MIKE~(-:<br>
<br>
On Mon, Jun 9, 2014 at 2:51 PM, Jon Ernster <<a href="mailto:jon.ernster@gmail.com" target="_blank">jon.ernster@gmail.com</a>><br>
wrote:<br>
<br>
ALL just gives you the ability to run sudo on all binaries. If you<br>
don't want to give your password every time you use sudo then you<br>
need to use the NOPASSWD option.<br>
<br>
ie: exampleuser ALL=NOPASSWD: ALL<br>
<br>
On Mon, Jun 9, 2014 at 3:42 PM, Michael Havens <<a href="mailto:bmike1@gmail.com" target="_blank">bmike1@gmail.com</a>><br>
wrote:<br>
<br>
I just tried saving it as sudoers rather than as the .tmp file but<br>
still it requires a password. Please tell me what I am doing wrong?<br>
Here is the file <user is ***><br>
<br>
# Cmnd alias specification<br>
<br>
# User privilege specification<br>
root ALL=(ALL:ALL) ALL<br>
*** ALL=(ALL:ALL) ALL<br>
<br>
# Members of the admin group may gain root privileges<br>
admin ALL=(ALL) ALL<br>
*** ALL=(ALL:ALL) ALL<br>
<br>
# Allow members of group sudo to execute any command<br>
sudo ALL=(ALL:ALL) ALL<br>
*** ALL=(ALL:ALL) ALL<br>
<br>
:-)~MIKE~(-:<br>
<br>
On Mon, Jun 9, 2014 at 2:23 PM, James Mcphee <<a href="mailto:jmcphe@gmail.com" target="_blank">jmcphe@gmail.com</a>><br>
wrote:<br>
<br>
sudoers.tmp is the lock file visudo uses to make sure there aren't<br>
multiple edits going on at the same time.<br>
<br>
On Mon, Jun 9, 2014 at 1:53 PM, Michael Havens <<a href="mailto:bmike1@gmail.com" target="_blank">bmike1@gmail.com</a>><br>
wrote:<br>
<br>
I am trying to add my user to 'sudoers'. After I do I press cntrl-X<br>
and it says the file it is going to save is 'sudoers.tmp' . So I<br>
save it like that and my user still requires a password. should I<br>
not save it as the .tmp file but rather as 'sudoers'. I don't<br>
remember it being like that last time I did this!<br>
<br>
:-)~MIKE~(-:<br>
------------------------------<u></u>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.<u></u>org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
</div></div><a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/<u></u>mailman/listinfo/plug-discuss</a> [1]<div class=""><br>
<br>
--<br>
James McPhee<br>
<a href="mailto:jmcphe@gmail.com" target="_blank">jmcphe@gmail.com</a><br>
------------------------------<u></u>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.<u></u>org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
</div><a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/<u></u>mailman/listinfo/plug-discuss</a> [1]<br>
</blockquote><div class="">
<br>
------------------------------<u></u>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.<u></u>org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br></div>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/<u></u>mailman/listinfo/plug-discuss</a> [1]<div class=""><br>
<br>
------------------------------<u></u>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.<u></u>org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br></div>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/<u></u>mailman/listinfo/plug-discuss</a> [1]<br>
<br>
<br>
<br>
Links:<br>
------<br>
[1] <a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/<u></u>mailman/listinfo/plug-discuss</a><div class=""><br>
<br>
------------------------------<u></u>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.<u></u>org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/<u></u>mailman/listinfo/plug-discuss</a><br>
</div></blockquote><div class="HOEnZb"><div class="h5">
------------------------------<u></u>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.<u></u>org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/<u></u>mailman/listinfo/plug-discuss</a></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>
James McPhee<br><a href="mailto:jmcphe@gmail.com">jmcphe@gmail.com</a>
</div>