<rt id="bn8ez"></rt>
<label id="bn8ez"></label>

  • <span id="bn8ez"></span>

    <label id="bn8ez"><meter id="bn8ez"></meter></label>

    ivaneeo's blog

    自由的力量,自由的生活。

      BlogJava :: 首頁 :: 聯系 :: 聚合  :: 管理
      669 Posts :: 0 Stories :: 64 Comments :: 0 Trackbacks

    Ubuntu uses sudo to allow a normal user administrative privileges. Thus the traditional UNIX 'root' account is disabled (i.e. it is not possible to log in as root). All the graphical configuration utilities use sudo by default. Thus when Synaptic or something similar asks you for a password, it is asking for your password.

    The first user created is part of the admin group, which can use sudo. Any users created after that are not by default. It is recommended that all users of Ubuntu use sudo, as it provides clear benefits to security.

    Notes

    • The password is stored by default for 15 minutes. After that time, you will need to enter your password again

    • To run the graphical configuration utilities with sudo, simply launch the application via the menu.

    • To run a program using sudo that normally is run as the user, such as gedit, go to Applications --> Run Application and enter 'gksudo gedit'. For users of Kubuntu, used 'kdesu' in replacement for gksudo. Breezy users, go to Applications --> System Tools --> Run as different user.

    • To use sudo on the command line, preface the command with sudo, as below.

    sudo chown bob *

    To start a root shell (i.e. a command window where you can run root commands) use:

    sudo -s

    Warning: sudo -s doesn't change the environment variables ($HOME, $PATH etc). It can have some bad side effects. You can use sudo -i to initialize a full root environment.

    Adding users

    Warty

    In Warty, adding a new user involves editing the /etc/sudoers file. To edit that file, you must use 'visudo' as it will error check the file before exiting. To add a user with the same administration rights as the first user, add the following lines to the file: '$newuser ALL=(ALL) ALL'. Replace the $newuser with the username.

    Hoary

    To add a new user to sudo, open the "Users and Groups" tool from System --> Adminitration menu. Then click on the user and then on properties. Choose the "User Privileges" tab. In the tab, find "Executing system administration tasks" and check that.

    Benefits of sudo

    The benefits of leaving root disabled by default include the following.

    • Initially the Ubuntu team wanted the easiest install possible. By not enabling root, a couple of steps requiring user interaction during install could be avoided. (Colin Watson)

    • Even more significantly, if root were enabled during install, the user would be required to forever remember the password they chose--even though they would rarely use it. Root passwords are often forgotten by users who are new to the Unix security model. (Matt Zimmerman)

    • It avoids the "I can do anything" interactive login by default--you will be prompted for a password before major changes can happen, which should make you think about the consequences of what you are doing. If you were logged in as root, you could just delete some of those "useless folders" and not realize you were in the wrong directory until it's too late. It's been good Unix practice for a long time to "su-command-^D" regularly instead of staying in a root shell--unless you're doing serious system maintenance (at which point you can still "sudo su"). (Jim Cheetham and Andrew Sobala)

    • Sudo adds a log entry of the command(s) run (In /var/log/auth.log). If you mess up, you can always go back and see what commands were run. (Andrew Zbikowski)

    • Every cracker trying to brute-force their way into your box will know it has an account named "root" and will try that first. What they don't know is what the usernames of your other users are.

    • Allows easy transfer for admin rights, in a short term or long term period, by added and removing users from groups, while not compromising the root account. (Stuart Bishop)

    Security

    While there are various advantages and disadvantages to this approach, compared with the traditional superuser model. Neither is clearly superior overall.

    • By encouraging the execution of single commands with root privileges, rather than opening a shell, sudo:

      • Reduces the amount of time spent with root privileges, and thus the risk of inadvertently executing a command as root

      • Provides a more useful audit trail

    • Having a separate root password (the traditional model) provides an extra layer of protection if an administrative user's password is compromised

    • In either case, if the administrative user (who uses sudo or su to become root) is compromised, the attacker can generally gain root through an indirect attack

    Possible issues with the "sudo" model

    Although for desktops the benefits of using sudo are great, there are possible issues which need to be noted:

    • Some packages from universe are effectively broken (e.g. webmin) or become dangerous to use. A good workaround is to enable the root account before dealing with the affected packages (sudo su-; passwd <password>) and to lock it again afterwards (su -; passwd -l).

    • Redirecting the output of commands run with sudo can catch new users out (consider "sudo ls > /root/somefile"). Workarounds for this include using "sudo sh -c 'ls > /root/somefile'" (but escaping for this gets very ugly very quickly), using [WWW] Adverbio, or simply using sudo -s to get a root shell and going from there

      • MattZimmerman: A simple approach which works for most cases is to use dd(1): ls | sudo dd of=/root/somefile

    • In a lot of office environments the ONLY local user on a system is root. All other users are imported using NSS techniques such as nss-ldap. To setup a workstation, or fix it, in the case of a network failure where nss-ldap is broken, root is required. This tends to leave the system unusable unless cracked.

      • JerryHaltom: Perhaps in these cases it neccessitates the creation of a local account: "admin" with sudo to root privileges.

    Misconceptions

    • Isn't sudo less secure than su?

      • The basic security model is the same, and therefore these two systems share their primary weaknesses. Any user who uses su or sudo must be considered to be a privileged user. If that user's account is compromised by an attacker, the attacker can also gain root privileges the next time the user does so. The user account is the weak link in this chain, and so must be protected with the same care as root.

        On a more esoteric level, sudo provides some features which encourage different work habits, which can positively impact the security of the system. sudo is commonly used to execute only a single command, while su is generally used to open a shell and execute multiple commands. The sudo approach reduces the likelihood of a root shell being left open indefinitely, and encourages the user to minimize their use of root privileges.

    • I won't be able to enter single-user mode!

      • The sulogin program in Ubuntu is patched to handle the default case of a locked root password.

    Enabling the root account

    Note: This is not recommended!

    To enable the root account (i.e. set a password) use:

    sudo passwd root

    Enter your existing password
    Enter password for root
    Confirm password for root

    Disabling the root account

    Note: This is if you have already enabled a root account and wish to disable it again. To disable the root account after you have enabled it use:

    sudo passwd -l root

    This locks the root account.

    Running GUI applications with Root permissions

    It is generally recommended that you do not run applications with root privileges, but if you have to, it is recommended that you do not run "sudo {GUIAPP}", as sudo may not set up the environment correctly, and particularly on KDE this can be detrimental. Instead, always use gksudo {GUIAPP} or kdesu {GUIAPP}.

    posted on 2005-09-26 14:48 ivaneeo 閱讀(756) 評論(0)  編輯  收藏 所屬分類: debian-企鵝中最像牛
    主站蜘蛛池模板: 精品久久久久成人码免费动漫| 最近最新MV在线观看免费高清| 67pao强力打造67194在线午夜亚洲| 亚欧免费视频一区二区三区| 激情婷婷成人亚洲综合| 亚洲啪啪AV无码片| 中文字幕人成无码免费视频 | 免费一级全黄少妇性色生活片 | 成人无码区免费视频观看 | 黄色a三级免费看| 久久精品亚洲综合一品| 无码的免费不卡毛片视频| 亚洲AV无码精品无码麻豆| 在线观看免费a∨网站| 无码国产精品一区二区免费3p| 亚洲一区二区三区成人网站| 亚洲国产成人精品无码区在线观看 | 色www永久免费视频| 无码国产精品一区二区免费3p| 美女露隐私全部免费直播| 亚洲美女aⅴ久久久91| 亚洲伊人成无码综合网| 成人免费一区二区无码视频| 最好免费观看高清在线| 亚洲第一综合天堂另类专| 亚洲精品中文字幕无码AV| 亚洲中文字幕无码不卡电影| 亚洲日韩乱码中文无码蜜桃臀| 国产老女人精品免费视频| 一级毛片在线观看免费| 永久免费无码网站在线观看个| 亚洲六月丁香六月婷婷色伊人 | 亚洲制服丝袜精品久久| 亚洲AV无码日韩AV无码导航| 免费人成在线观看网站视频| 国产精品免费观看久久| 18禁美女裸体免费网站| 国产一级淫片a免费播放口| 一级毛片在播放免费| 亚洲成a人无码亚洲成av无码| 亚洲福利秒拍一区二区|