Show
Becoming SuperuserOn a Unix system, the superuser refers to a privileged account with unrestricted access to all files and commands. The username of this account is root. Many administrative tasks and their associated commands require superuser status. There are two ways to become the superuser. The first is to log in as
root directly. The second way is to execute the command After you enter the $ su Password: Not echoed # If you type the password incorrectly, you get an error message and return to the normal command prompt. You may exit from the superuser account with
When you run $ WarningUnlike some other operating systems, the Unix superuser has all privileges all the time: access to all files, commands, etc. Therefore, it is entirely too easy for a superuser to crash the system, destroy important files, and create havoc inadvertently. For this reason, people who know the superuser password (including the system administrator) should not do their routine work as superuser. Only use superuser status when it is needed . The root account should always have a password, and this password should be changed periodically. Only experienced Unix users with special requirements should know the superuser password, and the number of people who know it should be kept to an absolute minimum. To set or change the superuser password, become superuser and execute one of the following commands: # Generally, you’ll be asked to type the old superuser password and then the new password twice. The root password should also be changed whenever someone who knows it stops using the system for any reason (e.g., transfer, new job, etc.), or if there is any suspicion that an unauthorized user has learned it. Passwords are discussed in detail in Chapter 6. I try to avoid logging in directly as root. Instead, I For security reasons, it’s a bad idea to leave any logged-in session unattended; naturally, that goes double for a root session. Whenever I leave a workstation where I am logged in as root, I log out or lock the screen to prevent anyone from sneaking onto the system. The TipIf you are logged in as root on a serial console, you should also use a locking utility provided by the operating system. In some cases, if you are using multiple virtual consoles, you will need to lock each one individually. Controlling Access to the Superuser AccountOn many systems, any user who knows the root password may become superuser at any
time by running Traditionally, BSD systems
limited access to AIX allows the system administrator to specify who can use # Most Unix versions also allow you to restrict direct root logins to certain terminals. This topic is discussed in Chapter 12. Running a Single Command as root
Nevertheless, I have found that it does have one important use for a system administrator: it allows you to fix something quickly when you are at a user’s workstation (or otherwise not at your own
system) without having to worry about remembering to exit from an You can run a single command as root by using a command of this form: $ where command is
replaced by the command you want to run. The command should be enclosed in quotation marks if it contains any spaces or special shell characters. When you execute a command of this form, The following example illustrates this use of $ Commands and output would be slightly different on other systems. You can start a background command as root by including a final ampersand within the specified command (inside the quotation marks), but you’ll want to consider the security implications of a user bringing it to the foreground before you do this at a user’s workstation. sudo: Selective Access to Superuser CommandsStandard Unix takes an all-or-nothing approach to granting root access, but often what you actually want is something in between. The freely available For example, a non-root user could use this $
# Host alias specifications: names for host lists Host_Alias PHYSICS = hamlet, ophelia, laertes Host_Alias CHEM = duncan, puck, brutus # User alias specifications: named groups of users User_Alias BACKUPOPS = chavez, vargas, smith # Command alias specifications: names for command groups Cmnd_Alias MOUNT = /sbin/mount, /sbin/umount Cmnd_Alias SHUTDOWN = /sbin/shutdown Cmnd_Alias BACKUP = /usr/bin/tar, /usr/bin/mt Cmnd_Alias CDROM = /sbin/mount /cdrom, /bin/eject These three configuration file sections define The final command alias illustrates the use of arguments within a command list. This alias consists of a command to mount a CD at /cdrom and
to eject the media from the drive. Note, however, that it does not grant general use of the The final section of the file (see below) specifies which users may use the where host is a hostname or a host alias, and command(s) are one or more commands or command aliases, with multiple commands or hosts separated by commas. Multiple access specifications may be included for a single user, separated by colons. The alias ALL stands for all hosts or commands, depending on its context. Here is the remainder of our example configuration file: # User specifications: who can do what where root ALL = ALL %chem CHEM = SHUTDOWN, MOUNT chavez PHYSICS = MOUNT: achilles = /sbin/swapon harvey ALL = NOPASSWD: SHUTDOWN BACKUPOPS ALL, !CHEM = BACKUP, /usr/local/bin The first entry after the comment grants root access to all commands on all hosts. The second entry applies to members of the chem group (indicated by the initial percent sign), who may run system shutdown and mounting commands on any computer in the CHEM list. The third entry specifies that user chavez may run the mounting commands on the hosts in the PHYSICS list and may also run the The final entry applies to the users specified for the BACKOPS alias. On any system except those in the CHEM list (the preceding exclamation point indicates exclusion), they may run the command listed in the BACKUP alias as well as any command in the /usr/local/bin directory. Users can use the WarningCommands
should be selected for use with The There are other ways you might want to customize # Once the command completes, use the
WarningThe one disadvantage of Which of the following commands would you use to view the current soft limits on a Linux machine?Which of the following commands would you use to view the current soft limits on a Linux machine? The ulimit -a command displays the current limits.
Which of the following commands would you use to determine what directory you are current in?In order to find the current directory you are in, use the pwd command.
Which of the following commands is used to change the current group ID?The newgrp command is used to change the current GID (group ID) during a login session.
Which of the following is used by Microsoft for auditing in order to identify past actions?Microsoft uses a system access control list (SACL) for auditing in order to identify past actions performed by users on an object.
|