As most of your are aware on a linux system root is the administrative account. It’s also the one account that exists on most linux systems. It is critical that your protect root’s password and login. Once someone has root they can do anything on your system. One of the most common methods for protecting root is to not allow anyone to login directly as root via anything but console. This stops brute force hackers from ever getting in as root directly. This is done by adding the following line to your sshd_config and restarting ssh.
PermitRootLogin no
Then restart sshd to pick up the changes:
/etc/init.d/sshd restart
This alone takes huge strides to protecting your linux system. Then people have to use normal user accounts then switch to root. This switch is done in two ways sudo and su. Both can be protected. Sudo stands for super user do and it a great way to provide people some root access without giving away the whole account. For example you can use sudo to provide a user access to run /etc/init.d/httpd as root but nothing more. It can also be used to become root without knowing root’s password. This is great for temporary root needs. It is recommeded that you use the program to visudo to edit sudo access (which is stored in /etc/sudoers).
So to run it as root
visudo
To give a user access to root and all commands add this line:
username ALL=(ALL) ALL
You can also use to to provide access to another shared user account (for example if I want a user to be able to become mysql without knowning the password)
username ALL = (root) /bin/su - mysql
Of course if they know the password for mysql they can just type:
su - mysql
If you want them to be able to execute a single command as mysql user you can use the following command:
username ALL = (mysql) /etc/scripts/command_to_run_as_mysql
All commands have to be preceded by sudo then command. sudo also supports groups of commands or even user groups to provide access, giving the full flexability of users and groups.
Once we have locked down users to using sudo we can remove their ability to change to root using su – (This is a step most people skip and you may want to skip it depending on your environment it will not work) You can controll who can execute the command su by using permissions. First make sure your already root 🙂 Then find the location for the su command using which
which su
Now change the permissions on su so that only the owner and group can execute it.
chmod 770
Now create a group allowing access to use su: (wheel is a group name commonly used for this purpose)
groupadd wheel
Now add users to wheel with the following command:
useradd -G wheel username
Now only users in the wheel group can execute su further protecting it.
us