Accounts on Linux

[TrainTrackHack]

A simple question: would it be advisable/significantly safer to create an admin account on Linux and never log on it, just to use Admin credentials to install stuff/whatnot, and instead have a basic account for everyone/everything else? Any distro-specific notes on this?

 

[patrickv]

most linux distros come with root, some are open and some are closed.
on openSuse, root is open,so does PCLinux, but ubuntu Root is disabled.
you can't create root... you can create accounts that have normal abilities and some of roots credential.
am pretty sure you know root is not to be used

 

[M0LD0V4N]

most linux distros come with root, some are open and some are closed.
on openSuse, root is open,so does PCLinux, but ubuntu Root is disabled.
you can't create root... you can create accounts that have normal abilities and some of roots credential.
am pretty sure you know root is not to be used

In ubuntu It's disabled? I got into root.

 

[TrainTrackHack]

am pretty sure you know root is not to be used

Yes, I know...

most linux distros come with root, some are open and some are closed.

So, root is the "real admin", the almighty and untouchable... does open root mean you can log on it?

you can't create root... you can create accounts that have normal abilities and some of roots credential.

In ubuntu, I had the option to create "basic" and "admin" accounts, What I'm wondering is, is there any advantage to creating basic ones over admin ones security-wise, and have only one admin.

Oh and also, since root is not to be used (or can't be used)... the credentials an admin can give will still be enough to have complete control over the system, right? By complete I don't mean 100% complete but as complete as necessary for perfectly legit administrating?

 

[tlarkin]

Depends on how the distro handles it. Typically in Linux I make a root account, and then I make myself the admin. The admin can invoke root privliges by using sudo before commands. It will prompt you for that admin's password but that is all.

In Debian/Ubuntu the root account is not disabled, it is really there. Instead though they have what is called /etc/sudoers which promotes accounts with in that directory to root via sudo, which is a lot like how OS X handles it. You just can't log in as root and the root has no home directory.

Really the only major difference between an admin and a basic account is the ability to su and sudo. Unless you are using some kind of group or local policy to manage user's access privs and/or system rights.

Root accounts give access to everything. Which can be dangerous if you don't know what you are doing. In my personal opinion root is only needed in certain situations, and most of the time not need to be run. For example if you want to shell script a lot of things out as root, you will need the account there and enabled (which it is for the most part in every distro), however, the root account may not be available for log in.

 

[TrainTrackHack]

Really the only major difference between an admin and a basic account is the ability to su and sudo. Unless you are using some kind of group or local policy to manage user's access privs and/or system rights.

Soo... basic users can't sudo? Can they su? Couldn't a basic user sudo by su-ing as an admin...? I'm still fairly new to linux-stuff, so you'll need to draw a picture for me...

 

[tlarkin]

In most distros whenever an account does a sudo command, it is parsed against the /etc/sudoers file, and any account not in that file can't sudo. Typically standard accounts can't do so. You can always su in the terminal but you will need to know the short name and the password for each account.

Does that make sense?

 

[TrainTrackHack]

Yep, apart from the "short names" part. Dunno what they are.

Oh an a question, is it possible to modify the sudoers file so as to allow only certain people sudo?

And if I've got you right, I'm perfectly safe (I know there ain't such thing, but...) having my normal account set as adming, correct?

 

[tlarkin]

Yep, apart from the "short names" part. Dunno what they are.

Oh an a question, is it possible to modify the sudoers file so as to allow only certain people sudo?

And if I've got you right, I'm perfectly safe (I know there ain't such thing, but...) having my normal account set as adming, correct?

An example of user's name versus shotname.

User's Name: John Smith
shotname: jsmith

The short name is what the directory will use for every transaction, while at the same time there is an entry tied to that name in the user data base with their full name.

Why hack around your permissions and change under the hood? I don't recommend that because it can negatively affect something somewhere else down the road.

What are you worried about, messing the machine up? Just be careful when you sudo and how you modify config files, always create a back up of the original config file just in case you mess something up so you can restore it.