On Thu, 2004-03-25 at 18:11, James Kosin wrote: > I have a silly question; > Does the root (group) have special privileges like the root (user)? > If so, what are they? As far as I know, Fedora Core doesn't give the root group any special privileges. However, PAM and sudo can be setup to allow certain users or groups to have special privileges. In most cases you'd add superusers to the wheel group then give the wheel group special privileges through sudo or PAM. PAM is much more powerful however it isn't as easy to setup. Fedora Core's consolehelper (root password prompt you see when running "System Settings" programs) is based on PAM. For more info on sudo: man 5 sudoers To edit the sudoers file run this as root: visudo The following sudoers entry allows members of the wheel group unrestricted root access with sudo. It challenges them for their own password instead of the root password: %wheel ALL=(ALL) ALL Then members of the wheel group can prefix commands with sudo to run them as root. To get a root login shell (without needing the root password) you would do this: sudo su - To go one step further: Once I've setup sudo and know it works I remove remove all terminal devices from /etc/securetty, modify /etc/ssh/sshd_config (PermitRootLogin no), and modify /etc/X11/gdm/gdm.conf (AllowRoot=false & AllowRemoteRoot=false) to disallow root login entirely. This forces people to login as a non-privileged user and use sudo or su. If someone tries to run something they are not allowed to run the administrators are sent an email. All sudo commands are logged to the system log. Thus when something breaks you can go back and see precisely what has been done to break it and who did it. In an emergency, such as accidentally erasing/damaging your passwd or groups files, you can easily gain root privileges with a rescue CD or by passing arguments to the kernel (e.g. init=/bin/sh). -- David Norris http://www.webaugur.com/dave/ ICQ - 412039
Attachment:
signature.asc
Description: This is a digitally signed message part
