On 4/9/21 10:47 AM, Binet, Valere (NIH/NIA/IRP) [C] wrote:
The NIST and CIS baselines don't allow su, we have to use sudo on government computers.
Could you enlighten me on the rationale behind that restriction? As, as you already noticed, my [ancient, maybe] reasoning makes me arrive at an opposite conclusion. (but mine is pure security consideration with full trust vested into sysadmin, see below...)
On a second guess: it is just for a separation of privileges, and accounting of who did what which sudo brings to the table... Right?
Thanks in advance.
Valeri
Valère Binet
On 4/9/21, 11:39 AM, "Valeri Galtsev" galtsev@kicp.uchicago.edu wrote:
On 4/9/21 10:31 AM, Johnny Hughes wrote: > On 4/9/21 5:18 AM, Steve Clark via CentOS wrote: >> On 4/8/21 3:50 PM, Tony Schreiner wrote: >> >> On Thu, Apr 8, 2021 at 2:33 PM Nicolas Kovacs >> <info@microlinux.fr><mailto:info@microlinux.fr> wrote: >> >> >> >> Le 08/04/2021 à 18:58, Steve Clark via CentOS a écrit : >> >> >> How do I allow root log in on GDM. >> >> >> >> tl;dr: you don't. >> >> Log in as a non-root user, and when you do need root, either open up a >> terminal >> and use 'su -' or (even better) setup your user by making your user a >> member of >> the wheel group and then use sudo. >> >> Logging in to a GUI as root is *BAD* practice. >> >> Cheers, >> >> Niki >> >> >> >> >> >> That said - you can do it, by clicking on "Not listed?" and typing root >> into the user field. >> >> Yes I have done that and it immediately comes back to the login screen, >> I know I am typing the >> correct passwd, because if I botch the passwd I get a message to that >> effect. >> >> >> > > I would not recommend ever using the GUI as the root user .. it creates > keys and items that are very dangerous. (gnome key rings, etc) > +1000 > You should be able to 'su -' , then use visudo to create a sudo account > for your user. You can even NOPASSWD your user for using sudo (you may > or may not want to do that .. if someone gains access to your local > account, they could then sudo with no passwd). > In the past I even avoided sudo. It yet one more SUID-ed binary on your machine. Which may add to your potential [local, in general] vulnerability footprint. su, - making yourself root is more than enough for regular sysadmin. > But, i have never, ever logged in as root on a GUI account directly on a > machine that I cared about or was keeping live .. just advise, do with > it what you will. > +1 To OP: Do as you wish, and deal with consequences. Valeri > > _______________________________________________ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos