How do I make sudo ask for the root password?How to make Shared Keys .ssh/authorized_keys and sudo work...
Why is consensus so controversial in Britain?
Why do I get two different answers for this counting problem?
I'm flying to France today and my passport expires in less than 2 months
How old can references or sources in a thesis be?
Can I ask the recruiters in my resume to put the reason why I am rejected?
What is a clear way to write a bar that has an extra beat?
meaning of に in 本当に?
"You are your self first supporter", a more proper way to say it
What would happen to a modern skyscraper if it rains micro blackholes?
Intersection point of 2 lines defined by 2 points each
Why "Having chlorophyll without photosynthesis is actually very dangerous" and "like living with a bomb"?
Can an x86 CPU running in real mode be considered to be basically an 8086 CPU?
Does an object always see its latest internal state irrespective of thread?
Can a Cauchy sequence converge for one metric while not converging for another?
Replacing matching entries in one column of a file by another column from a different file
Modeling an IP Address
What's the point of deactivating Num Lock on login screens?
Is it legal for company to use my work email to pretend I still work there?
How does quantile regression compare to logistic regression with the variable split at the quantile?
Do I have a twin with permutated remainders?
Java Casting: Java 11 throws LambdaConversionException while 1.8 does not
Languages that we cannot (dis)prove to be Context-Free
Is it possible to do 50 km distance without any previous training?
How can I prevent hyper evolved versions of regular creatures from wiping out their cousins?
How do I make sudo ask for the root password?
How to make Shared Keys .ssh/authorized_keys and sudo work together?sudo su runs without password prompt?sudo not working alongwith suSudo access issues with passwdsudoedit: why use it over sudo vi?how to chain sudo/su and still benefit from sudoers configHow to enable user to change iptables rules?Running script that has sudo commands with sudoers/etc/sudoers set user to have general sudo use, with no password prompt for only one commandsWindows Subsystem for Linux - sudo does not ask for password everytime
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
When I run sudo as a normal unprivileged user, it asks for my password, not the root password. That's often convenient, but it reduces the amount of information someone would have to have in order to run commands as root. So how can I make sudo ask for the root password instead of the invoking user's password?
I know it'd be done with a line in /etc/sudoers, but I can never seem to properly parse the BNF grammar in the man page to figure out exactly what to write.
linux sudo root
asked Jul 9 '10 at 4:38
David ZDavid Z
4,95722948
add a comment |
When I run sudo as a normal unprivileged user, it asks for my password, not the root password. That's often convenient, but it reduces the amount of information someone would have to have in order to run commands as root. So how can I make sudo ask for the root password instead of the invoking user's password?
I know it'd be done with a line in /etc/sudoers, but I can never seem to properly parse the BNF grammar in the man page to figure out exactly what to write.
linux sudo root
asked Jul 9 '10 at 4:38
David ZDavid Z
4,95722948
I recommend you restrict the commands that are permissible as the non-root user so that you need not worry about exposing arbitrary commands.
– Slartibartfast
Jul 9 '10 at 5:02
@slartibartfast: but then what happens when I need to run a command as root that is not in the preapproved list?
– David Z
Jul 9 '10 at 5:46
add a comment |
When I run sudo as a normal unprivileged user, it asks for my password, not the root password. That's often convenient, but it reduces the amount of information someone would have to have in order to run commands as root. So how can I make sudo ask for the root password instead of the invoking user's password?
I know it'd be done with a line in /etc/sudoers, but I can never seem to properly parse the BNF grammar in the man page to figure out exactly what to write.
linux sudo root
asked Jul 9 '10 at 4:38
David ZDavid Z
4,95722948
When I run sudo as a normal unprivileged user, it asks for my password, not the root password. That's often convenient, but it reduces the amount of information someone would have to have in order to run commands as root. So how can I make sudo ask for the root password instead of the invoking user's password?
I know it'd be done with a line in /etc/sudoers, but I can never seem to properly parse the BNF grammar in the man page to figure out exactly what to write.
linux sudo root
linux sudo root
asked Jul 9 '10 at 4:38
David ZDavid Z
4,95722948
asked Jul 9 '10 at 4:38
David ZDavid Z
4,95722948
asked Jul 9 '10 at 4:38
David ZDavid Z
4,95722948
asked Jul 9 '10 at 4:38
David ZDavid Z
4,95722948
asked Jul 9 '10 at 4:38
David ZDavid Z
4,95722948
4,95722948
I recommend you restrict the commands that are permissible as the non-root user so that you need not worry about exposing arbitrary commands.
– Slartibartfast
Jul 9 '10 at 5:02
@slartibartfast: but then what happens when I need to run a command as root that is not in the preapproved list?
– David Z
Jul 9 '10 at 5:46
add a comment |
I recommend you restrict the commands that are permissible as the non-root user so that you need not worry about exposing arbitrary commands.
– Slartibartfast
Jul 9 '10 at 5:02
@slartibartfast: but then what happens when I need to run a command as root that is not in the preapproved list?
– David Z
Jul 9 '10 at 5:46
I recommend you restrict the commands that are permissible as the non-root user so that you need not worry about exposing arbitrary commands.
– Slartibartfast
Jul 9 '10 at 5:02
I recommend you restrict the commands that are permissible as the non-root user so that you need not worry about exposing arbitrary commands.
– Slartibartfast
Jul 9 '10 at 5:02
@slartibartfast: but then what happens when I need to run a command as root that is not in the preapproved list?
– David Z
Jul 9 '10 at 5:46
@slartibartfast: but then what happens when I need to run a command as root that is not in the preapproved list?
– David Z
Jul 9 '10 at 5:46
add a comment |
6 Answers
6
active
oldest
votes
Ok, here it is again so you can set the checkmark.
In /etc/sudoers, add this line:
Defaults rootpw
to turn on the rootpw flag, making sudo ask for the root password.
edited Jul 10 '10 at 1:19
Josh Hunt
17.3k1775120
answered Jul 9 '10 at 21:54
Florian DieschFlorian Diesch
3,22011213
6
You should always use thevisudocommand instead of manually editing the/etc/sudoersfile.visudovalidates the file to make sure it's correct before saving, so you don't get locked out of sudo if you make a syntax error... askubuntu.com/a/81054/166411
– Colin D Bennett
Nov 26 '13 at 21:22
add a comment |
You need to turn the rootpw flag on.
answered Jul 9 '10 at 4:40
Ignacio Vazquez-AbramsIgnacio Vazquez-Abrams
96.7k6155211
As I said, I haven't been able to work through the BNF notation in the man page - so what line would I insert into/etc/sudoersto enable this flag?
– David Z
Jul 9 '10 at 5:48
2
Defaults rootpw
– Florian Diesch
Jul 9 '10 at 9:57
@Florian: whaddya know, it's that easy :-) If you post that as an answer you get the checkmark.
– David Z
Jul 9 '10 at 20:11
add a comment |
I know this question is old, but it is the most concise question I've found for this use case (which is a minor percentage, true, but nonetheless legitimate and helpful in the right scenario).
After putting all the steps together from various sources - including multiple answers to this question, these steps work on Ubuntu-Gnome 16.04 LTS:
Set a password for root
- This is CRITICAL to do FIRST! (Ubuntu automatically has no password for the ROOT user due to the standard security configuration.
- If you do not do this first, you will lock yourself out from accessing root privileges. This can be overcome by booting in with a Live Disk, mounting the hard drive, and editing the sudoers file, but it's best to avoid that.
- Open a terminal and enter:
sudo passwd - Set your new password for the ROOT user.
Change the SUDO configuration to require the root password
- SUDO requires the user requesting root privileges
- Setting the "rootpw" flag instead tells SUDO to require the password for the root user.
- Open a terminal and enter:
sudo visudo - This will open the "/etc/sudoers" file
- After the other "Defaults" line, add:
Defaults rootpw - Save it (assuming you are in nano, which is the default, this is CTRL+O)
- Close the file (CTRL+X) & exit the terminal
- You're done!
Just a quick note - I also wanted to make sure that the root user couldn't be used to login from the graphical login, and so was looking into ways to excluded. Apparently, the root user is excluded by default, and cannot be used to login through the Gnome graphical login - which is a very good thing!
answered Oct 13 '16 at 2:24
SRDCSRDC
1493
Could you suggest improvements to reverse a downvote?
– SRDC
Nov 9 '16 at 16:05
Doesn't seem to be wrong.
– Ruslan
Mar 8 '17 at 13:30
Possibly because a simple (and working) config of:root ALL=(ALL) ALL Defaults targetpw ALL ALL=(ALL) ALLAllows root sudo for every user that knows the root password. Naively changing the last two lines to your solutionDefaults rootpwcauses a lockout fromsudo. You also need to add your user tosudoerslike so:myusername ALL=(ALL) ALLor give similar privileges to a group and then addmyusernameto that group.
– Paul Parker
22 hours ago
add a comment |
You could just turn off sudo and use su -c.
answered Jul 9 '10 at 5:06
NitrodistNitrodist
1,30121124
Inconvenient because I have to enter my password every time I run it. The use case here is having to run multiple commands as root in quick succession.
– David Z
Jul 9 '10 at 5:45
add a comment |
A common configuration that requires the password of the target (not what we want):
Defaults targetpw
ALL ALL=(ALL) ALL
The second line would read out loud like:
"ALL users on ALL hosts can impersonate (ALL) users when executing ALL commands."
and the Defaults targetpw means that they need to know the password of the user they are impersonating to do so.
Naively changing this simple config to:
Defaults rootpw
wouldn't leave any user or group with the privilege to run commands as another user.
One working possibility would be:
Defaults rootpw
myuser ALL=(ALL) ALL
In plain English, myuser now has the ability to run ALL commands as any user on ALL hosts, so long as the root password is known.
Another working possibility would be:
Defaults rootpw
%sudousers ALL=(ALL) ALL
Any member of the sudousers group will have the ability to run ALL commands as any user on ALL hosts, so long as the root password is known. To allow myuser to run sudo commands, sudousers would need to be added to its secondary groups.
su
usermod -a -G sudousers myuser
exit
answered 21 hours ago
Paul ParkerPaul Parker
101
New contributor
Paul Parker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Using
sudo su
will let you run as many commands as you want in succession.
2
Good idea, but unless I changesudoto prompt for the root password, this would still allow someone to gain root access by presenting only one password (not root's). So it doesn't really address the security concern that prompted my question.
– David Z
Jul 9 '10 at 20:14
Instead of using sudo's capacity to limit access by user you are exposing your root password to a number of users. You are also removing the capability of securing your server by removing the password from root.
– BillThor
Jul 10 '10 at 2:53
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f161593%2fhow-do-i-make-sudo-ask-for-the-root-password%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
6 Answers
6
active
oldest
votes
6 Answers
6
active
oldest
votes
active
oldest
votes
active
oldest
votes
Ok, here it is again so you can set the checkmark.
In /etc/sudoers, add this line:
Defaults rootpw
to turn on the rootpw flag, making sudo ask for the root password.
edited Jul 10 '10 at 1:19
Josh Hunt
17.3k1775120
answered Jul 9 '10 at 21:54
Florian DieschFlorian Diesch
3,22011213
6
You should always use thevisudocommand instead of manually editing the/etc/sudoersfile.visudovalidates the file to make sure it's correct before saving, so you don't get locked out of sudo if you make a syntax error... askubuntu.com/a/81054/166411
– Colin D Bennett
Nov 26 '13 at 21:22
add a comment |
Ok, here it is again so you can set the checkmark.
In /etc/sudoers, add this line:
Defaults rootpw
to turn on the rootpw flag, making sudo ask for the root password.
edited Jul 10 '10 at 1:19
Josh Hunt
17.3k1775120
answered Jul 9 '10 at 21:54
Florian DieschFlorian Diesch
3,22011213
6
You should always use thevisudocommand instead of manually editing the/etc/sudoersfile.visudovalidates the file to make sure it's correct before saving, so you don't get locked out of sudo if you make a syntax error... askubuntu.com/a/81054/166411
– Colin D Bennett
Nov 26 '13 at 21:22
add a comment |
Ok, here it is again so you can set the checkmark.
In /etc/sudoers, add this line:
Defaults rootpw
to turn on the rootpw flag, making sudo ask for the root password.
edited Jul 10 '10 at 1:19
Josh Hunt
17.3k1775120
answered Jul 9 '10 at 21:54
Florian DieschFlorian Diesch
3,22011213
Ok, here it is again so you can set the checkmark.
In /etc/sudoers, add this line:
Defaults rootpw
to turn on the rootpw flag, making sudo ask for the root password.
edited Jul 10 '10 at 1:19
Josh Hunt
17.3k1775120
answered Jul 9 '10 at 21:54
Florian DieschFlorian Diesch
3,22011213
edited Jul 10 '10 at 1:19
Josh Hunt
17.3k1775120
edited Jul 10 '10 at 1:19
Josh Hunt
17.3k1775120
edited Jul 10 '10 at 1:19
Josh Hunt
17.3k1775120
17.3k1775120
answered Jul 9 '10 at 21:54
Florian DieschFlorian Diesch
3,22011213
answered Jul 9 '10 at 21:54
Florian DieschFlorian Diesch
3,22011213
answered Jul 9 '10 at 21:54
Florian DieschFlorian Diesch
3,22011213
3,22011213
6
You should always use thevisudocommand instead of manually editing the/etc/sudoersfile.visudovalidates the file to make sure it's correct before saving, so you don't get locked out of sudo if you make a syntax error... askubuntu.com/a/81054/166411
– Colin D Bennett
Nov 26 '13 at 21:22
add a comment |
6
You should always use thevisudocommand instead of manually editing the/etc/sudoersfile.visudovalidates the file to make sure it's correct before saving, so you don't get locked out of sudo if you make a syntax error... askubuntu.com/a/81054/166411
– Colin D Bennett
Nov 26 '13 at 21:22
6
6
You should always use the
visudo command instead of manually editing the /etc/sudoers file. visudo validates the file to make sure it's correct before saving, so you don't get locked out of sudo if you make a syntax error... askubuntu.com/a/81054/166411– Colin D Bennett
Nov 26 '13 at 21:22
You should always use the
visudo command instead of manually editing the /etc/sudoers file. visudo validates the file to make sure it's correct before saving, so you don't get locked out of sudo if you make a syntax error... askubuntu.com/a/81054/166411– Colin D Bennett
Nov 26 '13 at 21:22
add a comment |
You need to turn the rootpw flag on.
answered Jul 9 '10 at 4:40
Ignacio Vazquez-AbramsIgnacio Vazquez-Abrams
96.7k6155211
As I said, I haven't been able to work through the BNF notation in the man page - so what line would I insert into/etc/sudoersto enable this flag?
– David Z
Jul 9 '10 at 5:48
2
Defaults rootpw
– Florian Diesch
Jul 9 '10 at 9:57
@Florian: whaddya know, it's that easy :-) If you post that as an answer you get the checkmark.
– David Z
Jul 9 '10 at 20:11
add a comment |
You need to turn the rootpw flag on.
answered Jul 9 '10 at 4:40
Ignacio Vazquez-AbramsIgnacio Vazquez-Abrams
96.7k6155211
As I said, I haven't been able to work through the BNF notation in the man page - so what line would I insert into/etc/sudoersto enable this flag?
– David Z
Jul 9 '10 at 5:48
2
Defaults rootpw
– Florian Diesch
Jul 9 '10 at 9:57
@Florian: whaddya know, it's that easy :-) If you post that as an answer you get the checkmark.
– David Z
Jul 9 '10 at 20:11
add a comment |
You need to turn the rootpw flag on.
answered Jul 9 '10 at 4:40
Ignacio Vazquez-AbramsIgnacio Vazquez-Abrams
96.7k6155211
You need to turn the rootpw flag on.
answered Jul 9 '10 at 4:40
Ignacio Vazquez-AbramsIgnacio Vazquez-Abrams
96.7k6155211
answered Jul 9 '10 at 4:40
Ignacio Vazquez-AbramsIgnacio Vazquez-Abrams
96.7k6155211
answered Jul 9 '10 at 4:40
Ignacio Vazquez-AbramsIgnacio Vazquez-Abrams
96.7k6155211
answered Jul 9 '10 at 4:40
Ignacio Vazquez-AbramsIgnacio Vazquez-Abrams
96.7k6155211
96.7k6155211
As I said, I haven't been able to work through the BNF notation in the man page - so what line would I insert into/etc/sudoersto enable this flag?
– David Z
Jul 9 '10 at 5:48
2
Defaults rootpw
– Florian Diesch
Jul 9 '10 at 9:57
@Florian: whaddya know, it's that easy :-) If you post that as an answer you get the checkmark.
– David Z
Jul 9 '10 at 20:11
add a comment |
As I said, I haven't been able to work through the BNF notation in the man page - so what line would I insert into/etc/sudoersto enable this flag?
– David Z
Jul 9 '10 at 5:48
2
Defaults rootpw
– Florian Diesch
Jul 9 '10 at 9:57
@Florian: whaddya know, it's that easy :-) If you post that as an answer you get the checkmark.
– David Z
Jul 9 '10 at 20:11
As I said, I haven't been able to work through the BNF notation in the man page - so what line would I insert into
/etc/sudoers to enable this flag?– David Z
Jul 9 '10 at 5:48
As I said, I haven't been able to work through the BNF notation in the man page - so what line would I insert into
/etc/sudoers to enable this flag?– David Z
Jul 9 '10 at 5:48
2
2
Defaults rootpw
– Florian Diesch
Jul 9 '10 at 9:57
Defaults rootpw
– Florian Diesch
Jul 9 '10 at 9:57
@Florian: whaddya know, it's that easy :-) If you post that as an answer you get the checkmark.
– David Z
Jul 9 '10 at 20:11
@Florian: whaddya know, it's that easy :-) If you post that as an answer you get the checkmark.
– David Z
Jul 9 '10 at 20:11
add a comment |
I know this question is old, but it is the most concise question I've found for this use case (which is a minor percentage, true, but nonetheless legitimate and helpful in the right scenario).
After putting all the steps together from various sources - including multiple answers to this question, these steps work on Ubuntu-Gnome 16.04 LTS:
Set a password for root
- This is CRITICAL to do FIRST! (Ubuntu automatically has no password for the ROOT user due to the standard security configuration.
- If you do not do this first, you will lock yourself out from accessing root privileges. This can be overcome by booting in with a Live Disk, mounting the hard drive, and editing the sudoers file, but it's best to avoid that.
- Open a terminal and enter:
sudo passwd - Set your new password for the ROOT user.
Change the SUDO configuration to require the root password
- SUDO requires the user requesting root privileges
- Setting the "rootpw" flag instead tells SUDO to require the password for the root user.
- Open a terminal and enter:
sudo visudo - This will open the "/etc/sudoers" file
- After the other "Defaults" line, add:
Defaults rootpw - Save it (assuming you are in nano, which is the default, this is CTRL+O)
- Close the file (CTRL+X) & exit the terminal
- You're done!
Just a quick note - I also wanted to make sure that the root user couldn't be used to login from the graphical login, and so was looking into ways to excluded. Apparently, the root user is excluded by default, and cannot be used to login through the Gnome graphical login - which is a very good thing!
answered Oct 13 '16 at 2:24
SRDCSRDC
1493
Could you suggest improvements to reverse a downvote?
– SRDC
Nov 9 '16 at 16:05
Doesn't seem to be wrong.
– Ruslan
Mar 8 '17 at 13:30
Possibly because a simple (and working) config of:root ALL=(ALL) ALL Defaults targetpw ALL ALL=(ALL) ALLAllows root sudo for every user that knows the root password. Naively changing the last two lines to your solutionDefaults rootpwcauses a lockout fromsudo. You also need to add your user tosudoerslike so:myusername ALL=(ALL) ALLor give similar privileges to a group and then addmyusernameto that group.
– Paul Parker
22 hours ago
add a comment |
I know this question is old, but it is the most concise question I've found for this use case (which is a minor percentage, true, but nonetheless legitimate and helpful in the right scenario).
After putting all the steps together from various sources - including multiple answers to this question, these steps work on Ubuntu-Gnome 16.04 LTS:
Set a password for root
- This is CRITICAL to do FIRST! (Ubuntu automatically has no password for the ROOT user due to the standard security configuration.
- If you do not do this first, you will lock yourself out from accessing root privileges. This can be overcome by booting in with a Live Disk, mounting the hard drive, and editing the sudoers file, but it's best to avoid that.
- Open a terminal and enter:
sudo passwd - Set your new password for the ROOT user.
Change the SUDO configuration to require the root password
- SUDO requires the user requesting root privileges
- Setting the "rootpw" flag instead tells SUDO to require the password for the root user.
- Open a terminal and enter:
sudo visudo - This will open the "/etc/sudoers" file
- After the other "Defaults" line, add:
Defaults rootpw - Save it (assuming you are in nano, which is the default, this is CTRL+O)
- Close the file (CTRL+X) & exit the terminal
- You're done!
Just a quick note - I also wanted to make sure that the root user couldn't be used to login from the graphical login, and so was looking into ways to excluded. Apparently, the root user is excluded by default, and cannot be used to login through the Gnome graphical login - which is a very good thing!
answered Oct 13 '16 at 2:24
SRDCSRDC
1493
Could you suggest improvements to reverse a downvote?
– SRDC
Nov 9 '16 at 16:05
Doesn't seem to be wrong.
– Ruslan
Mar 8 '17 at 13:30
Possibly because a simple (and working) config of:root ALL=(ALL) ALL Defaults targetpw ALL ALL=(ALL) ALLAllows root sudo for every user that knows the root password. Naively changing the last two lines to your solutionDefaults rootpwcauses a lockout fromsudo. You also need to add your user tosudoerslike so:myusername ALL=(ALL) ALLor give similar privileges to a group and then addmyusernameto that group.
– Paul Parker
22 hours ago
add a comment |
I know this question is old, but it is the most concise question I've found for this use case (which is a minor percentage, true, but nonetheless legitimate and helpful in the right scenario).
After putting all the steps together from various sources - including multiple answers to this question, these steps work on Ubuntu-Gnome 16.04 LTS:
Set a password for root
- This is CRITICAL to do FIRST! (Ubuntu automatically has no password for the ROOT user due to the standard security configuration.
- If you do not do this first, you will lock yourself out from accessing root privileges. This can be overcome by booting in with a Live Disk, mounting the hard drive, and editing the sudoers file, but it's best to avoid that.
- Open a terminal and enter:
sudo passwd - Set your new password for the ROOT user.
Change the SUDO configuration to require the root password
- SUDO requires the user requesting root privileges
- Setting the "rootpw" flag instead tells SUDO to require the password for the root user.
- Open a terminal and enter:
sudo visudo - This will open the "/etc/sudoers" file
- After the other "Defaults" line, add:
Defaults rootpw - Save it (assuming you are in nano, which is the default, this is CTRL+O)
- Close the file (CTRL+X) & exit the terminal
- You're done!
Just a quick note - I also wanted to make sure that the root user couldn't be used to login from the graphical login, and so was looking into ways to excluded. Apparently, the root user is excluded by default, and cannot be used to login through the Gnome graphical login - which is a very good thing!
answered Oct 13 '16 at 2:24
SRDCSRDC
1493
I know this question is old, but it is the most concise question I've found for this use case (which is a minor percentage, true, but nonetheless legitimate and helpful in the right scenario).
After putting all the steps together from various sources - including multiple answers to this question, these steps work on Ubuntu-Gnome 16.04 LTS:
Set a password for root
- This is CRITICAL to do FIRST! (Ubuntu automatically has no password for the ROOT user due to the standard security configuration.
- If you do not do this first, you will lock yourself out from accessing root privileges. This can be overcome by booting in with a Live Disk, mounting the hard drive, and editing the sudoers file, but it's best to avoid that.
- Open a terminal and enter:
sudo passwd - Set your new password for the ROOT user.
Change the SUDO configuration to require the root password
- SUDO requires the user requesting root privileges
- Setting the "rootpw" flag instead tells SUDO to require the password for the root user.
- Open a terminal and enter:
sudo visudo - This will open the "/etc/sudoers" file
- After the other "Defaults" line, add:
Defaults rootpw - Save it (assuming you are in nano, which is the default, this is CTRL+O)
- Close the file (CTRL+X) & exit the terminal
- You're done!
Just a quick note - I also wanted to make sure that the root user couldn't be used to login from the graphical login, and so was looking into ways to excluded. Apparently, the root user is excluded by default, and cannot be used to login through the Gnome graphical login - which is a very good thing!
answered Oct 13 '16 at 2:24
SRDCSRDC
1493
answered Oct 13 '16 at 2:24
SRDCSRDC
1493
answered Oct 13 '16 at 2:24
SRDCSRDC
1493
answered Oct 13 '16 at 2:24
SRDCSRDC
1493
1493
Could you suggest improvements to reverse a downvote?
– SRDC
Nov 9 '16 at 16:05
Doesn't seem to be wrong.
– Ruslan
Mar 8 '17 at 13:30
Possibly because a simple (and working) config of:root ALL=(ALL) ALL Defaults targetpw ALL ALL=(ALL) ALLAllows root sudo for every user that knows the root password. Naively changing the last two lines to your solutionDefaults rootpwcauses a lockout fromsudo. You also need to add your user tosudoerslike so:myusername ALL=(ALL) ALLor give similar privileges to a group and then addmyusernameto that group.
– Paul Parker
22 hours ago
add a comment |
Could you suggest improvements to reverse a downvote?
– SRDC
Nov 9 '16 at 16:05
Doesn't seem to be wrong.
– Ruslan
Mar 8 '17 at 13:30
Possibly because a simple (and working) config of:root ALL=(ALL) ALL Defaults targetpw ALL ALL=(ALL) ALLAllows root sudo for every user that knows the root password. Naively changing the last two lines to your solutionDefaults rootpwcauses a lockout fromsudo. You also need to add your user tosudoerslike so:myusername ALL=(ALL) ALLor give similar privileges to a group and then addmyusernameto that group.
– Paul Parker
22 hours ago
Could you suggest improvements to reverse a downvote?
– SRDC
Nov 9 '16 at 16:05
Could you suggest improvements to reverse a downvote?
– SRDC
Nov 9 '16 at 16:05
Doesn't seem to be wrong.
– Ruslan
Mar 8 '17 at 13:30
Doesn't seem to be wrong.
– Ruslan
Mar 8 '17 at 13:30
Possibly because a simple (and working) config of:
root ALL=(ALL) ALL Defaults targetpw ALL ALL=(ALL) ALL Allows root sudo for every user that knows the root password. Naively changing the last two lines to your solution Defaults rootpw causes a lockout from sudo. You also need to add your user to sudoers like so: myusername ALL=(ALL) ALL or give similar privileges to a group and then add myusername to that group.– Paul Parker
22 hours ago
Possibly because a simple (and working) config of:
root ALL=(ALL) ALL Defaults targetpw ALL ALL=(ALL) ALL Allows root sudo for every user that knows the root password. Naively changing the last two lines to your solution Defaults rootpw causes a lockout from sudo. You also need to add your user to sudoers like so: myusername ALL=(ALL) ALL or give similar privileges to a group and then add myusername to that group.– Paul Parker
22 hours ago
add a comment |
You could just turn off sudo and use su -c.
answered Jul 9 '10 at 5:06
NitrodistNitrodist
1,30121124
Inconvenient because I have to enter my password every time I run it. The use case here is having to run multiple commands as root in quick succession.
– David Z
Jul 9 '10 at 5:45
add a comment |
You could just turn off sudo and use su -c.
answered Jul 9 '10 at 5:06
NitrodistNitrodist
1,30121124
Inconvenient because I have to enter my password every time I run it. The use case here is having to run multiple commands as root in quick succession.
– David Z
Jul 9 '10 at 5:45
add a comment |
You could just turn off sudo and use su -c.
answered Jul 9 '10 at 5:06
NitrodistNitrodist
1,30121124
You could just turn off sudo and use su -c.
answered Jul 9 '10 at 5:06
NitrodistNitrodist
1,30121124
answered Jul 9 '10 at 5:06
NitrodistNitrodist
1,30121124
answered Jul 9 '10 at 5:06
NitrodistNitrodist
1,30121124
answered Jul 9 '10 at 5:06
NitrodistNitrodist
1,30121124
1,30121124
Inconvenient because I have to enter my password every time I run it. The use case here is having to run multiple commands as root in quick succession.
– David Z
Jul 9 '10 at 5:45
add a comment |
Inconvenient because I have to enter my password every time I run it. The use case here is having to run multiple commands as root in quick succession.
– David Z
Jul 9 '10 at 5:45
Inconvenient because I have to enter my password every time I run it. The use case here is having to run multiple commands as root in quick succession.
– David Z
Jul 9 '10 at 5:45
Inconvenient because I have to enter my password every time I run it. The use case here is having to run multiple commands as root in quick succession.
– David Z
Jul 9 '10 at 5:45
add a comment |
A common configuration that requires the password of the target (not what we want):
Defaults targetpw
ALL ALL=(ALL) ALL
The second line would read out loud like:
"ALL users on ALL hosts can impersonate (ALL) users when executing ALL commands."
and the Defaults targetpw means that they need to know the password of the user they are impersonating to do so.
Naively changing this simple config to:
Defaults rootpw
wouldn't leave any user or group with the privilege to run commands as another user.
One working possibility would be:
Defaults rootpw
myuser ALL=(ALL) ALL
In plain English, myuser now has the ability to run ALL commands as any user on ALL hosts, so long as the root password is known.
Another working possibility would be:
Defaults rootpw
%sudousers ALL=(ALL) ALL
Any member of the sudousers group will have the ability to run ALL commands as any user on ALL hosts, so long as the root password is known. To allow myuser to run sudo commands, sudousers would need to be added to its secondary groups.
su
usermod -a -G sudousers myuser
exit
answered 21 hours ago
Paul ParkerPaul Parker
101
New contributor
Paul Parker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
A common configuration that requires the password of the target (not what we want):
Defaults targetpw
ALL ALL=(ALL) ALL
The second line would read out loud like:
"ALL users on ALL hosts can impersonate (ALL) users when executing ALL commands."
and the Defaults targetpw means that they need to know the password of the user they are impersonating to do so.
Naively changing this simple config to:
Defaults rootpw
wouldn't leave any user or group with the privilege to run commands as another user.
One working possibility would be:
Defaults rootpw
myuser ALL=(ALL) ALL
In plain English, myuser now has the ability to run ALL commands as any user on ALL hosts, so long as the root password is known.
Another working possibility would be:
Defaults rootpw
%sudousers ALL=(ALL) ALL
Any member of the sudousers group will have the ability to run ALL commands as any user on ALL hosts, so long as the root password is known. To allow myuser to run sudo commands, sudousers would need to be added to its secondary groups.
su
usermod -a -G sudousers myuser
exit
answered 21 hours ago
Paul ParkerPaul Parker
101
New contributor
Paul Parker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
A common configuration that requires the password of the target (not what we want):
Defaults targetpw
ALL ALL=(ALL) ALL
The second line would read out loud like:
"ALL users on ALL hosts can impersonate (ALL) users when executing ALL commands."
and the Defaults targetpw means that they need to know the password of the user they are impersonating to do so.
Naively changing this simple config to:
Defaults rootpw
wouldn't leave any user or group with the privilege to run commands as another user.
One working possibility would be:
Defaults rootpw
myuser ALL=(ALL) ALL
In plain English, myuser now has the ability to run ALL commands as any user on ALL hosts, so long as the root password is known.
Another working possibility would be:
Defaults rootpw
%sudousers ALL=(ALL) ALL
Any member of the sudousers group will have the ability to run ALL commands as any user on ALL hosts, so long as the root password is known. To allow myuser to run sudo commands, sudousers would need to be added to its secondary groups.
su
usermod -a -G sudousers myuser
exit
answered 21 hours ago
Paul ParkerPaul Parker
101
New contributor
Paul Parker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
A common configuration that requires the password of the target (not what we want):
Defaults targetpw
ALL ALL=(ALL) ALL
The second line would read out loud like:
"ALL users on ALL hosts can impersonate (ALL) users when executing ALL commands."
and the Defaults targetpw means that they need to know the password of the user they are impersonating to do so.
Naively changing this simple config to:
Defaults rootpw
wouldn't leave any user or group with the privilege to run commands as another user.
One working possibility would be:
Defaults rootpw
myuser ALL=(ALL) ALL
In plain English, myuser now has the ability to run ALL commands as any user on ALL hosts, so long as the root password is known.
Another working possibility would be:
Defaults rootpw
%sudousers ALL=(ALL) ALL
Any member of the sudousers group will have the ability to run ALL commands as any user on ALL hosts, so long as the root password is known. To allow myuser to run sudo commands, sudousers would need to be added to its secondary groups.
su
usermod -a -G sudousers myuser
exit
answered 21 hours ago
Paul ParkerPaul Parker
101
New contributor
Paul Parker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 21 hours ago
Paul ParkerPaul Parker
101
New contributor
Paul Parker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 21 hours ago
Paul ParkerPaul Parker
101
answered 21 hours ago
Paul ParkerPaul Parker
101
101
New contributor
Paul Parker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Paul Parker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Paul Parker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Using
sudo su
will let you run as many commands as you want in succession.
2
Good idea, but unless I changesudoto prompt for the root password, this would still allow someone to gain root access by presenting only one password (not root's). So it doesn't really address the security concern that prompted my question.
– David Z
Jul 9 '10 at 20:14
Instead of using sudo's capacity to limit access by user you are exposing your root password to a number of users. You are also removing the capability of securing your server by removing the password from root.
– BillThor
Jul 10 '10 at 2:53
add a comment |
Using
sudo su
will let you run as many commands as you want in succession.
2
Good idea, but unless I changesudoto prompt for the root password, this would still allow someone to gain root access by presenting only one password (not root's). So it doesn't really address the security concern that prompted my question.
– David Z
Jul 9 '10 at 20:14
Instead of using sudo's capacity to limit access by user you are exposing your root password to a number of users. You are also removing the capability of securing your server by removing the password from root.
– BillThor
Jul 10 '10 at 2:53
add a comment |
Using
sudo su
will let you run as many commands as you want in succession.
Using
sudo su
will let you run as many commands as you want in succession.
answered Jul 9 '10 at 11:44
user33460
2
Good idea, but unless I changesudoto prompt for the root password, this would still allow someone to gain root access by presenting only one password (not root's). So it doesn't really address the security concern that prompted my question.
– David Z
Jul 9 '10 at 20:14
Instead of using sudo's capacity to limit access by user you are exposing your root password to a number of users. You are also removing the capability of securing your server by removing the password from root.
– BillThor
Jul 10 '10 at 2:53
add a comment |
2
Good idea, but unless I changesudoto prompt for the root password, this would still allow someone to gain root access by presenting only one password (not root's). So it doesn't really address the security concern that prompted my question.
– David Z
Jul 9 '10 at 20:14
Instead of using sudo's capacity to limit access by user you are exposing your root password to a number of users. You are also removing the capability of securing your server by removing the password from root.
– BillThor
Jul 10 '10 at 2:53
2
2
Good idea, but unless I change
sudo to prompt for the root password, this would still allow someone to gain root access by presenting only one password (not root's). So it doesn't really address the security concern that prompted my question.– David Z
Jul 9 '10 at 20:14
Good idea, but unless I change
sudo to prompt for the root password, this would still allow someone to gain root access by presenting only one password (not root's). So it doesn't really address the security concern that prompted my question.– David Z
Jul 9 '10 at 20:14
Instead of using sudo's capacity to limit access by user you are exposing your root password to a number of users. You are also removing the capability of securing your server by removing the password from root.
– BillThor
Jul 10 '10 at 2:53
Instead of using sudo's capacity to limit access by user you are exposing your root password to a number of users. You are also removing the capability of securing your server by removing the password from root.
– BillThor
Jul 10 '10 at 2:53
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f161593%2fhow-do-i-make-sudo-ask-for-the-root-password%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I recommend you restrict the commands that are permissible as the non-root user so that you need not worry about exposing arbitrary commands.
– Slartibartfast
Jul 9 '10 at 5:02
@slartibartfast: but then what happens when I need to run a command as root that is not in the preapproved list?
– David Z
Jul 9 '10 at 5:46