Aug 03 2007

Doing Away with the Need for Root Account in Linux

Published by at 10:37 am under linux,Security

After your installation of Linux, it is a better idea to do away with root account. This is part of making your system as secure as possible. Almost all Linux installations comes with a program named sudo that provides root privileges to normal users without knowing the root password. This way you can execute commands that are meant to be executed by root. Please follow the steps below to enable any user to obtain the root privileges:

  • Need to enable any user or group, who want to gain root privileges, in /etc/sudoers. The normal practice is to enable the users belonging to group wheel to run all root privileged commands.
  • /etc/sudoers is edited by visudo. You need to be root to edit this file.
  • $visudo
    =========== File snippet below =====================
    # sudoers file.
    # This file MUST be edited with the ‘visudo’ command as root.
    # See the sudoers man page for the details on how to write a sudoers file.
    # Host alias specification # User alias specification # Cmnd alias specification

    # Defaults specification

    # User privilege specification
    root ALL=(ALL) ALL

    # Uncomment to allow people in group wheel to run all commands. Uncomment the following line
    %wheel ALL=(ALL) ALL

    # Same thing without a password
    # %wheel ALL=(ALL) NOPASSWD: ALL

  • Now add the user you want to have root privilege into group wheel
    $usermod -a -G wheel “username here without the quotes”
    Now test whether that particular user can gain root privilege. First login to the system with username you want to test
    $wc /etc/sudoers
    wc: /etc/sudoers: Permission denied
    $sudo wc /etc/sudoers
    password: # enter your account password here
    28 94 579 /etc/sudoers
    if you can count the words in that file, that means you can any command that requires root privilege.

If you are using SSH to login to your machine remotely, then follow the procedure below to disallow “root” to login

  • Again it is a good practice to create a group whose users will be allowed SSH access.
  • create a group named sshusers.
  • $sudo groupadd sshusers
    $sudo usermod -a -G sshusers “username who needs to ssh access without quotes”
    Now open /etc/ssh/sshd_config to diable root login and enable the group sshusers
    $sudo vi /etc/sshd/sshd_config=========== File snippet. Only the required portion is shown=
    #LoginGraceTime 2m
    PermitRootLogin no
    #Add this line into the file AllowGroups sshusers

    Test it out just by logging in as root. You should get Access Denied message

    Now try to login using a user that belongs to sshusers group. You should be able to login

Comments Off on Doing Away with the Need for Root Account in Linux

Comments are closed at this time.