On 4/9/21 10:47 AM, Binet, Valere (NIH/NIA/IRP) [C] wrote: > The NIST and CIS baselines don't allow su, we have to use sudo on government computers. > Could you enlighten me on the rationale behind that restriction? As, as you already noticed, my [ancient, maybe] reasoning makes me arrive at an opposite conclusion. (but mine is pure security consideration with full trust vested into sysadmin, see below...) On a second guess: it is just for a separation of privileges, and accounting of who did what which sudo brings to the table... Right? Thanks in advance. Valeri > Valère Binet > > On 4/9/21, 11:39 AM, "Valeri Galtsev" <galtsev at kicp.uchicago.edu> wrote: > > > > On 4/9/21 10:31 AM, Johnny Hughes wrote: > > On 4/9/21 5:18 AM, Steve Clark via CentOS wrote: > >> On 4/8/21 3:50 PM, Tony Schreiner wrote: > >> > >> On Thu, Apr 8, 2021 at 2:33 PM Nicolas Kovacs > >> <info at microlinux.fr><mailto:info at microlinux.fr> wrote: > >> > >> > >> > >> Le 08/04/2021 à 18:58, Steve Clark via CentOS a écrit : > >> > >> > >> How do I allow root log in on GDM. > >> > >> > >> > >> tl;dr: you don't. > >> > >> Log in as a non-root user, and when you do need root, either open up a > >> terminal > >> and use 'su -' or (even better) setup your user by making your user a > >> member of > >> the wheel group and then use sudo. > >> > >> Logging in to a GUI as root is *BAD* practice. > >> > >> Cheers, > >> > >> Niki > >> > >> > >> > >> > >> > >> That said - you can do it, by clicking on "Not listed?" and typing root > >> into the user field. > >> > >> Yes I have done that and it immediately comes back to the login screen, > >> I know I am typing the > >> correct passwd, because if I botch the passwd I get a message to that > >> effect. > >> > >> > >> > > > > I would not recommend ever using the GUI as the root user .. it creates > > keys and items that are very dangerous. (gnome key rings, etc) > > > > +1000 > > > You should be able to 'su -' , then use visudo to create a sudo account > > for your user. You can even NOPASSWD your user for using sudo (you may > > or may not want to do that .. if someone gains access to your local > > account, they could then sudo with no passwd). > > > > In the past I even avoided sudo. It yet one more SUID-ed binary on your > machine. Which may add to your potential [local, in general] > vulnerability footprint. su, - making yourself root is more than enough > for regular sysadmin. > > > But, i have never, ever logged in as root on a GUI account directly on a > > machine that I cared about or was keeping live .. just advise, do with > > it what you will. > > > > +1 > > To OP: Do as you wish, and deal with consequences. > > Valeri > > > > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > https://lists.centos.org/mailman/listinfo/centos > > > > -- > ++++++++++++++++++++++++++++++++++++++++ > Valeri Galtsev > Sr System Administrator > Department of Astronomy and Astrophysics > Kavli Institute for Cosmological Physics > University of Chicago > Phone: 773-702-4247 > ++++++++++++++++++++++++++++++++++++++++ > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++