sudo is a convenient command that can be executed by a non-root general user with root privileges without executing su command. But it's dangerous. How to explain why and disable sudo. I will explain the alternative operation when sudo is disabled.
For those who understand the behavior of sudo and set it in a limited range, please skip it because it is "Sermon to Buddha".
--Systems that generally have only one root, such as RasPi and NanoPi --I'm new to managing Linux machines, and I'm using what the introductory book says without even knowing what it means. --The author who left the security affairs to other books and wrote a "good bite" thing in the trendy RasPi introductory book for the time being.
Written with reading in mind.
A password is required for Login. Linux machines that can ssh are protected from the outside world with a single passwd. But passwd is very vulnerable. No matter what passwd you set, it will always crack with modern technology. But what about two-step authentication? It is an authentication that you have to crack passwd, actually log in, and su again with another password. It's easy to understand if you unlock the entrance to the building and imagine that the entrance to the control room also has a door and another lock.
To ensure security, it is usually set so that root cannot ssh login from the outside.
/etc/ssh/sshd_config:
PermitRootLogin no
That is the setting of.
It's a well-made system. But think about it, do you need a root passwd to run sudo? I don't need it.
/etc/sudoers.d/*
/etc/sudoers
The user listed in can run sudo without passwd. It's the same as removing one of the double entrance doors. Setting sudoers makes the system as weak as leaving PermitRootLogin yes.
It's easy to put it back in the double door. You don't have to set any users in sudoers. If you do that "I can't manage the machine!" You can hear a scream. When I learned unix, there was no sudo. sudo is a very dangerous evil command created later, and even if it is not there, there is no problem in system management.
First change the root passwd. Maybe you don't know the root passwd if you only use sudo?
sudo passwd root
sudo This is my last job. No way, you don't set "1234". Please make sure that 8 or more letters, symbols, and numbers are mixed. It's the key to the safe.
su
cd /etc/sudoers.d
rm *
I've already done it now.
su
Password: <root_pass>
And you only have to be root when you need to be root.
The default settings of the machine have dangerous traps that can be easily closed.
--It is better to delete easily guessable users such as pi, demo, guest, test, nano. --You need to have something like ftp, sshd, but users who don't log in
su
vipw
ftp:x:1005:1005:,,,:/home/ftp:/bin/false
Set the login shell to / bin / false as in.
Whether it's a small SBC that's trendy or a small SBC that's not very popular, crackers will come when you connect to the internet. Because it is small, the countermeasures can be small. 』. Please take proper measures.
I was surprised to see the introductory book on Raspberry Pi. All of them are logged in with pi and set with sudo. Even if I don't know what to do first
sudo passwd root
su
adduser your_name
deluser pi
is. It is a device that can be connected to the network as it is. Please consider network security when writing. Beginners operate as written.