hackapelite

A simple question: would it be advisable/significantly safer to create an admin account on Linux and never log on it, just to use Admin credentials to install stuff/whatnot, and instead have a basic account for everyone/everything else? Any distro-specific notes on this?

__________________
Teh Shiznizzel, yo!
Runs Windows Vista Ultimate 32-bit (Linux: family had enough)
AMD Phenom 8450 X3 @2.1GHz
ASRock AOD790GX/128M (SB750)
ATI Radeon HD3300 IGP 128MB Shared memory
2x2GB AMICROE DDR2-800 6-6-6-18
500GB Samsung + 320GB Seagate Barracuda
380Watt CoolerMaster PSU
LG "SuperMulti" DVD Writer
Generic MIDI Tower

Spatula.

patrickv

most linux distros come with root, some are open and some are closed.
on openSuse, root is open,so does PCLinux, but ubuntu Root is disabled.
you can't create root... you can create accounts that have normal abilities and some of roots credential.
am pretty sure you know root is not to be used

__________________
My Blog

My FlickR

M0LD0V4N

In ubuntu It's disabled? I got into root.

__________________
Don't take life so Seriously, It isn't permanent.

hackapelite

Yes, I know...
So, root is the "real admin", the almighty and untouchable... does open root mean you can log on it?
In ubuntu, I had the option to create "basic" and "admin" accounts, What I'm wondering is, is there any advantage to creating basic ones over admin ones security-wise, and have only one admin.

Oh and also, since root is not to be used (or can't be used)... the credentials an admin can give will still be enough to have complete control over the system, right? By complete I don't mean 100% complete but as complete as necessary for perfectly legit administrating?

__________________
Teh Shiznizzel, yo!
Runs Windows Vista Ultimate 32-bit (Linux: family had enough)
AMD Phenom 8450 X3 @2.1GHz
ASRock AOD790GX/128M (SB750)
ATI Radeon HD3300 IGP 128MB Shared memory
2x2GB AMICROE DDR2-800 6-6-6-18
500GB Samsung + 320GB Seagate Barracuda
380Watt CoolerMaster PSU
LG "SuperMulti" DVD Writer
Generic MIDI Tower

Spatula.

tlarkin

Depends on how the distro handles it. Typically in Linux I make a root account, and then I make myself the admin. The admin can invoke root privliges by using sudo before commands. It will prompt you for that admin's password but that is all.

In Debian/Ubuntu the root account is not disabled, it is really there. Instead though they have what is called /etc/sudoers which promotes accounts with in that directory to root via sudo, which is a lot like how OS X handles it. You just can't log in as root and the root has no home directory.

Really the only major difference between an admin and a basic account is the ability to su and sudo. Unless you are using some kind of group or local policy to manage user's access privs and/or system rights.

Root accounts give access to everything. Which can be dangerous if you don't know what you are doing. In my personal opinion root is only needed in certain situations, and most of the time not need to be run. For example if you want to shell script a lot of things out as root, you will need the account there and enabled (which it is for the most part in every distro), however, the root account may not be available for log in.

__________________
Typical Signature:
Computer Specs: - numbers I read off a box | parts I assembled in a case all by myself | benchmark score

"Will the man with telekenesis please raise my hand?" - Vonnegut

chown -R us /.base

Get a grep!

hackapelite

Soo... basic users can't sudo? Can they su? Couldn't a basic user sudo by su-ing as an admin...? I'm still fairly new to linux-stuff, so you'll need to draw a picture for me...

__________________
Teh Shiznizzel, yo!
Runs Windows Vista Ultimate 32-bit (Linux: family had enough)
AMD Phenom 8450 X3 @2.1GHz
ASRock AOD790GX/128M (SB750)
ATI Radeon HD3300 IGP 128MB Shared memory
2x2GB AMICROE DDR2-800 6-6-6-18
500GB Samsung + 320GB Seagate Barracuda
380Watt CoolerMaster PSU
LG "SuperMulti" DVD Writer
Generic MIDI Tower

Spatula.

tlarkin

In most distros whenever an account does a sudo command, it is parsed against the /etc/sudoers file, and any account not in that file can't sudo. Typically standard accounts can't do so. You can always su in the terminal but you will need to know the short name and the password for each account.

Does that make sense?

__________________
Typical Signature:
Computer Specs: - numbers I read off a box | parts I assembled in a case all by myself | benchmark score

"Will the man with telekenesis please raise my hand?" - Vonnegut

chown -R us /.base

Get a grep!

hackapelite

Yep, apart from the "short names" part. Dunno what they are.

Oh an a question, is it possible to modify the sudoers file so as to allow only certain people sudo?

And if I've got you right, I'm perfectly safe (I know there ain't such thing, but...) having my normal account set as adming, correct?

__________________
Teh Shiznizzel, yo!
Runs Windows Vista Ultimate 32-bit (Linux: family had enough)
AMD Phenom 8450 X3 @2.1GHz
ASRock AOD790GX/128M (SB750)
ATI Radeon HD3300 IGP 128MB Shared memory
2x2GB AMICROE DDR2-800 6-6-6-18
500GB Samsung + 320GB Seagate Barracuda
380Watt CoolerMaster PSU
LG "SuperMulti" DVD Writer
Generic MIDI Tower

Spatula.

tlarkin

An example of user's name versus shotname.

User's Name: John Smith
shotname: jsmith

The short name is what the directory will use for every transaction, while at the same time there is an entry tied to that name in the user data base with their full name.

Why hack around your permissions and change under the hood? I don't recommend that because it can negatively affect something somewhere else down the road.

What are you worried about, messing the machine up? Just be careful when you sudo and how you modify config files, always create a back up of the original config file just in case you mess something up so you can restore it.

__________________
Typical Signature:
Computer Specs: - numbers I read off a box | parts I assembled in a case all by myself | benchmark score

"Will the man with telekenesis please raise my hand?" - Vonnegut

chown -R us /.base

Get a grep!