locking down umbuntu or linux permissions 101?

[spyder]

We were talking in another thread about distro's respective pro's and cons. We hardly scratched the surface before I pointed out security flaws in Ubuntu. I readily conceed there is a work around (or two) that can be applied, but this is just one example of how it is bad "Out of the Box" (so to speak).
So, you are in front of your buddies (or your own) Ubuntu box as a user he created for you. You open any terminal and change the root password.

[Matrix]

First I will say that after installing Ubuntu, I enable the root account and change the password. Then I proceed to disable all admin privileges from the user that was created when installing the OS.

I become that main user and I do not use sudo. I open a terminal and use su and become root to run commands then exit. If I need a GUI I would swtich user and log in as root. When I am done I log off root and remain as a normal user. I never use the system otherwise logged in as root.

So back to what Spyder wrote: After doing what I have done, can a normal user I created still use that method to change the root password?

What is the wheel group and what does it do? I do not remember seeing that in the list of groups.
_________________
Matrix

[NamLorKargo]

The answer depends on the details in removing all admin privileges from the user that was created when installing the OS.

If you used Ubuntu's interface to remove admin privileges, than you cannot sudo anymore. The key is to remove the user from the privileged group whose name is something like admin.

The wheel group is allowed to su to root. However, any account can su to another non-root account, so don't be careless with the password to any account that can su to root. This is a scenario I see fairly often on Ubuntu boxes. User installs OS and creates main user whom we will call mainuser. Then the user creates a second account called user2 using the Ubuntu gui and does not give it any admin privileges. I, malicious hacker, am given assigned the user2 account on this box and somehow find out mainuser's password. Now I su to mainuser. I can now use sudo passwd to set the root password.

Of course, this all depends on finding out mainuser's password, but if I am sharing the computer with mainuser, that will happen eventually.

[NamLorKargo]

You may have gotten the impression by now that sudo is not the most secure tool. You also mentioned that you enable the root account instead of using sudo. Sudo can be much better than running as root IF it is configured correctly. The configuration on Ubuntu is a bit lax due to design decisions, but it can be made much more secure. In fact, I always set up sudo on whatever box I am using because you get some logging that you don't get when running as root.

There is a file called /etc/sudoers that controls the behavior of sudo. NEVER just open this file with a text editor and go hacking away. The syntax can be tricky and if you mess it up, you could lock yourself out of your own system fairly effectively. Instead, run visudo as root (you could run sudo visudo, for example). This will invoke the editor specified in the EDITOR environment variable and will check the file for errors when you close the editor.

The key to secure sudo usage is research and planning. I like to identify and categorize the commands I need to run as root and assign different levels of security to them. For example, on my BSD laptop I regularly needed to change network settings depending on my location, so I set up the ifconfig and iwconfig (There is no iwconfig in BSD. I am just putting things in the linux context.) commands as well as my network scripts to run as root without prompting for a password. Other common commands with more potential for abuse (filesystem access, etc) were set up to require my user password (passwd was NOT in this group). Some commands like passwd, visudo, or commands with known security holes were still usable from sudo, but I had to put in the root password. I used su to gain root privileges on the rare occasions I knew I would have to do a lot of stuff as root.

Sudo can be secure if you set it up that way. At the same time it can be much more convenient than having to change to root, and it logs every command it runs so you have a history of what was done to your system. Another cool trick is to use sudo to run commands as other users. Sometimes things only work if you are a certain, non-root user. You can configure sudo to run those commands as that other user if you need to. It is usually not recommended; most of the time is better to fix whatever is blocking the other users from running the command, but sudo gives you some flexibility if you really need it.

Details on how to configure the sudoers file can be found in the visudo and sudoers man pages.

[Matrix]

[d4de]

Do you have Partition Magic 8? I ran into the similar issue with my box and I ended up having to use it and assigning a partion just for Slack then Running the Cd 1 and it worked from there. What the conflict is, I still haven't a clue but, this is the get around for it!! If you don't have it, I do and will find a way to get it to you! Just let me know!
_________________

[Matrix]

Thanks Black.

I do have Partition Magic but I tried another machine and the install worked without problems so I will troubleshoot that machine and see what the problem is.
_________________
Matrix

[d4de]

OK man, glad that worked for you, Hope you enjoy it. Like I said, My machine, I HAD to use Partition Majic, got it installed, of course I use a dual-doot system! Hope you enjoy the many features Slack has to offer, also, if you goto www.slackware.com they have thier own list of downloads and to-dos and you can keep up dated on future events and suchforth also!!
_________________

[spyder]

It seems Matrix, you have taken this thread off topic. Rather than adding whole different scenario as a side note in an existing thread, start a new thread. This thread has not been truly explored yet and you have it going down a different, unrelated road. The topic of this thread is how to secure your linux box, not how to use a partition editor or a boot error code. Please do not do this again.
_________________
01110011 01110000 01111001 01100100 01100101 01110010 00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101

[Matrix]

Noted.
_________________
Matrix

[riot82]

I'm kind of surprised that nobody has brought up IPTABLES yet. I wonder if firewall scripting should go here, or if it belongs in it's own category. It's a rather broad topic
_________________
Microsoft isn't evil, they just make really crappy operating systems.

--Linus Torvalds

[Matrix]

I should think that it is a part of locking down a box and I was going to bring that up.

Question is if Firestarter in Ubuntu is secure enough and how can it be made secure?

I usually install the interface and configure from there.
_________________
Matrix