[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How to patch a physically weak system & recommended use of sudo?
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: How to patch a physically weak system & recommended use of sudo?
- From: Nick Holland <nick_(_at_)_hc_(_dot_)_holland-consulting_(_dot_)_net>
- Date: Thu, 18 Aug 2005 14:12:00 -0400
On Thu, Aug 18, 2005 at 04:02:21PM +0000, Scott Plumlee wrote:
> Nick Holland wrote:
> >When I set up an OpenBSD system, one of the first things I do is create
> >a personal user for myself, put myself in the wheel group, configure
> >sudo to let wheel users do anything, log in as that user, and disable
> >root logins. Completely disable. This does a few things...
> Is your preferred method for doing so to remove the root user, or set
> the shell to nologin, or something else? I like the idea, but I'd
> rather not shoot myself in the foot doing it.
What I normally do is use vipw to change the encrypted root PW to "*" or
put a number of identical repeating characters in middle of the
encrypted PW. "Completely disable" is probably the wrong
expression...as you could still log in single user (no PW prompted for),
and if you could find a REASON you absolutely had to login as root from
a multi-user system, you could always do a "sudo su -" which will take
you to root directly. I've done this, but never had reason that I *had*
to do it.
By "completely disable", I meant "Unable to directly log into the
account from a login prompt". That's what happens when writing an
e-mail and realizing I should have left for work 15 minutes earlier...
Don't remove the root user, don't probably need to change the login
shell (though I can't think of any way that would hurt you).
sudo -s is handy for doing lots of root activies, if you are not worried
about command logging.
I also tend to have an "alias ]=sudo" in my .profiles. It seems to help
encourage me not to use "sudo -s" because I'm lazy. :) I'm sure there
is some use of the ] key in a command line I'm blowing out, but I
haven't come across it yet. :)