[users]Re: Linux Vs Windows in security (II)
kauer at biplane.com.au
Wed Aug 29 12:40:39 UTC 2007
> > NO - You can't change the root password if you don't know the root
> > password. You CAN however, IF you DO.
> Well, either you or me are mistaken.
> 'cause anyone who has access to sudo, can change the root pass, EVEN without knowing it.
You are right. root can change any password, including its own, without
having to provide the old password.
Some sites don't let sudo run passwd for that reason, but there are
dozens of ways round that. You can't block every editor either, there
are too many of them.
The cure is old-fashioned - give specific sudo access to specific users
or groups for specific programs, only as needed and make the default
sudo access nothing. Don't provide sudo access to anything that could
conceivably be used to escalate privileges - that means anything that
can modify a user-specified file on disk. And keep the members of admin
to a minimum - ideally just one.
Karl Auer (kauer at biplane.com.au) +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/ +61-428-957160 (mob)
More information about the ubuntu-users