That's pretty much the basic "root can't login" variant.  Login as normal user, become root, and off you go.  It is far more secure than having an exposed root, but the advantage of sudo is granularity.  This has been attempted in various ways through the years.  Sun's RBAC was fun, each "role" being a non-loginable user that you became to run the limited commands it was allowed.  I prefer sudo, where I can specify exactly the commands each person can run.

The thing about security, is that anyone with much experience knows that root is a state of mind.  It's a tradeoff between difficulty in using and difficulty in bypassing.


On Tue, Jun 10, 2014 at 8:38 AM, <techlists@phpcoderusa.com> wrote:

I was taught to use a two layer login and sudo.  The first user can login to SSH and is not sudo.  The second user is sudo and cannot log in.  I was told long ago this was a way to protect the system.



On 2014-06-10 02:16, Michael Havens wrote:
however, in my notes I and add a line like this:

      %sudo ALL=(ALL)  NOPASSWD:  ALL

and then add my user to the sudo group.
What does the percent sign mean? does it indicate the next string of
characters is the name of a group?

:-)~MIKE~(-:

On Mon, Jun 9, 2014 at 9:41 PM, Michael Havens <bmike1@gmail.com>
wrote:

how embarrasing! I already wrote myself notes on how to do this.....
sorry to waste the brain power with my taxing question. lol

:-)~MIKE~(-:

On Mon, Jun 9, 2014 at 4:31 PM, Michael Havens <bmike1@gmail.com>
wrote:

Why is the format so different? Meaning the examples I have to look
at are 'ALL=(ALL:ALL) ALL' but the way the computer accepts it is
without the parentheses and withot the cast three characters. 

:-)~MIKE~(-:

On Mon, Jun 9, 2014 at 2:51 PM, Jon Ernster <jon.ernster@gmail.com>
wrote:

ALL just gives you the ability to run sudo on all binaries.  If you
don't want to give your password every time you use sudo then you
need to use the NOPASSWD option.

ie:  exampleuser    ALL=NOPASSWD: ALL

On Mon, Jun 9, 2014 at 3:42 PM, Michael Havens <bmike1@gmail.com>
wrote:

I just tried saving it as sudoers rather than as the .tmp file but
still it requires a password. Please tell me what I am doing wrong?
Here is the file <user is ***>

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL
***  ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
admin ALL=(ALL) ALL
***  ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
sudo    ALL=(ALL:ALL) ALL
***  ALL=(ALL:ALL) ALL

:-)~MIKE~(-:

On Mon, Jun 9, 2014 at 2:23 PM, James Mcphee <jmcphe@gmail.com>
wrote:

sudoers.tmp is the lock file visudo uses to make sure there aren't
multiple edits going on at the same time.

On Mon, Jun 9, 2014 at 1:53 PM, Michael Havens <bmike1@gmail.com>
wrote:

I am trying to add my user to 'sudoers'. After I do I press cntrl-X
and it says the file it is going to save is 'sudoers.tmp' . So I
save it like that and my user still requires a password. should I
not save it as the .tmp file but rather as 'sudoers'. I don't
remember it being like that last time I did this!

:-)~MIKE~(-:
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss [1]


--
James McPhee
jmcphe@gmail.com
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss [1]

---------------------------------------------------
 PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
 To subscribe, unsubscribe, or to change your mail settings:
 http://lists.phxlinux.org/mailman/listinfo/plug-discuss [1]


---------------------------------------------------
 PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
 To subscribe, unsubscribe, or to change your mail settings:
 http://lists.phxlinux.org/mailman/listinfo/plug-discuss [1]



Links:
------
[1] http://lists.phxlinux.org/mailman/listinfo/plug-discuss


---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss



--
James McPhee
jmcphe@gmail.com