On 4/9/21 10:47 AM, Binet, Valere (NIH/NIA/IRP) [C]
wrote:> The NIST and CIS baselines don't allow su, we have to use sudo on
government computers.
>
Could you enlighten me on the rationale behind that restriction? As, as
you already noticed, my [ancient, maybe] reasoning makes me arrive at an
opposite conclusion. (but mine is pure security consideration with full
trust vested into sysadmin, see below...)
On a second guess: it is just for a separation of privileges, and
accounting of who did what which sudo brings to the table... Right?
Thanks in advance.
Valeri
> Val?re Binet
>
> ?On 4/9/21, 11:39 AM, "Valeri Galtsev" <galtsev at
kicp.uchicago.edu> wrote:
>
>
>
> On 4/9/21 10:31 AM, Johnny Hughes wrote:
> > On 4/9/21 5:18 AM, Steve Clark via CentOS wrote:
> >> On 4/8/21 3:50 PM, Tony Schreiner wrote:
> >>
> >> On Thu, Apr 8, 2021 at 2:33 PM Nicolas Kovacs
> >> <info at microlinux.fr><mailto:info at
microlinux.fr> wrote:
> >>
> >>
> >>
> >> Le 08/04/2021 ? 18:58, Steve Clark via CentOS a ?crit :
> >>
> >>
> >> How do I allow root log in on GDM.
> >>
> >>
> >>
> >> tl;dr: you don't.
> >>
> >> Log in as a non-root user, and when you do need root, either
open up a
> >> terminal
> >> and use 'su -' or (even better) setup your user by
making your user a
> >> member of
> >> the wheel group and then use sudo.
> >>
> >> Logging in to a GUI as root is *BAD* practice.
> >>
> >> Cheers,
> >>
> >> Niki
> >>
> >>
> >>
> >>
> >>
> >> That said - you can do it, by clicking on "Not
listed?" and typing root
> >> into the user field.
> >>
> >> Yes I have done that and it immediately comes back to the
login screen,
> >> I know I am typing the
> >> correct passwd, because if I botch the passwd I get a message
to that
> >> effect.
> >>
> >>
> >>
> >
> > I would not recommend ever using the GUI as the root user .. it
creates
> > keys and items that are very dangerous. (gnome key rings, etc)
> >
>
> +1000
>
> > You should be able to 'su -' , then use visudo to create
a sudo account
> > for your user. You can even NOPASSWD your user for using sudo
(you may
> > or may not want to do that .. if someone gains access to your
local
> > account, they could then sudo with no passwd).
> >
>
> In the past I even avoided sudo. It yet one more SUID-ed binary on
your
> machine. Which may add to your potential [local, in general]
> vulnerability footprint. su, - making yourself root is more than
enough
> for regular sysadmin.
>
> > But, i have never, ever logged in as root on a GUI account
directly on a
> > machine that I cared about or was keeping live .. just advise, do
with
> > it what you will.
> >
>
> +1
>
> To OP: Do as you wish, and deal with consequences.
>
> Valeri
>
> >
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > lists.centos.org/mailman/listinfo/centos
> >
>
> --
> ++++++++++++++++++++++++++++++++++++++++
> Valeri Galtsev
> Sr System Administrator
> Department of Astronomy and Astrophysics
> Kavli Institute for Cosmological Physics
> University of Chicago
> Phone: 773-702-4247
> ++++++++++++++++++++++++++++++++++++++++
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> lists.centos.org/mailman/listinfo/centos
>
--
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++