[ubuntu-hardened] RootSudo or not - what's better?

[Daniel Curtis]

Hi

As we know, by default the root account/password
is locked in Ubuntu. This, of course, means that user
can not login as root or even use the 'su' command.
We also have to remember, that the root account
physically exists.

So it is still possible to run programs or execute
commands with root privileges (I think about 'sudo').
But as a consequence, there is just one password,
right? User use this password to login to the system
and to run mentioned programs/commands with root
privileges, because of 'sudo'.

I would like to ask whether it would be safer to
create e.g. 'wheel' group, so user who is in such
group could use 'su -' etc. to become 'root'? Now,
there must be two passwords: one for a regular user
e.g. for login to the system and for using 'su -' to
become 'root' and then use second password
- let say - reserved for the super user.

Of course, we can restrict the use of 'su' command
by e.g. 'pam_wheel.so' etc. Now only member of
the group 'wheel' can use the 'su' command. And so on.
However 'sudo' still offers simplicity of use, better control
such as '/var/log/auth.log' file etc.

I would like to know if it is a good idea - from a security
point of view - to have two password instead one "global"?
If I remember correctly there is not another Linux distro
with locked 'root' account.

Yes, there are benefits of leaving 'root' logins disabled by
default, but what do you think? But maybe it is better to
have at least two password and use 'wheel' group?

Best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20141101/292cbdd2/attachment.html>