2

I am very new to Linux OS (i've started with CentOS 7), so i was wondering if it's possible to create some sort of super user who will have same privileges as root. By that i mean ability to write + read + execute folders and files who are owned by root user. Why do i need this? I have VPS with full access. In order to increase security of my web server i have created new user and disabled root login and now i'm logging into my server with RSA public/private key through Putty and WinSCP. This is my sshd.conf:

Port my_port_number
Protocol 2

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

AuthorizedKeysFile  .ssh/authorized_keys
PasswordAuthentication no
RSAAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
PermitEmptyPasswords no

SyslogFacility AUTHPRIV

LoginGraceTime 15m
PermitRootLogin no
StrictModes yes
MaxAuthTries 2

GSSAPIAuthentication yes
GSSAPICleanupCredentials no

UsePAM no

IgnoreRhosts yes

X11Forwarding no
ClientAliveInterval 120
ClientAliveCountMax 720

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

Subsystem   sftp    /usr/libexec/openssh/sftp-server
AllowUsers user_that_i_have_created

Also, i have added this line to /etc/sudoers

## Allow root to run any commands anywhere 
root    ALL=(ALL)   ALL
user_that_i_have_created ALL=(ALL) ALL

I've done this also:

usermod -aG wheel user_that_i_have_created

What is the problem now? As a new user that i've created, i'm unable to access files and folders who are allowed to read and modify only by root. As i often need to modify some root owned configuration files (apache's httpd.conf for example) i need to have access to these files through WinSCP because i got used to edit them through its' notepad. Editing these files via Putty (logged as root) would be waste of time.

I've imagined in my head that i will be able to create new user, same as root (regarding privileges and permissions) but only with a different name. Is that even possible in Linux?

Ljubisa Livac
  • 173
  • 1
  • 7
  • It is possible to create a user equivalent to root, but it is more common to use `sudo`. – 84104 Jun 09 '18 at 14:34
  • 1
    You can’t. Root is special not because of the name but because it’s UID 0 and GID 0. There is only one 0. – John Keates Jun 09 '18 at 18:16

3 Answers3

6

That is what sudo is for. If configured correctly, a user in the sudoers file can do everything root can do as well.

To edit a file: Instead of vim filename you just use sudo vim filename and similar for every other command.

Creating an additional actual root user is not really possible - you can give another user the id 0 as well, but then that's the actual root user with another name.

Sven
  • 98,649
  • 14
  • 180
  • 226
  • Sudo doesn't help with scp though. – Gerald Schneider Jun 09 '18 at 14:14
  • @GeraldSchneider: Right. Having another user with id 0 makes restricting root login useless though. Having this restriction is more important then editing a file with notepad IMHO... – Sven Jun 09 '18 at 14:17
  • Thank you for your answer and explanation! I agree with you, but on the other hand i find that WinSCP feature of editing files, downloading (making a backup file on my local PC, which is very important also) and uploading files to web server easily very handy, so that's the main reason why i have asked this question. – Ljubisa Livac Jun 09 '18 at 14:41
  • @Ljubisa Livac If so, just give write access to your "favorite" config files for your personal login: chgrp mylogin /etc/http/httd.conf; chmod g+w /etc/http/httd.conf. – Veniamin Jun 09 '18 at 21:48
1

Editing these files via Putty (logged as root) would be waste of time.

If the above is really your sweet spot with regards to security versus workload, then happily set PermitRootLogin without-password and login directly via WinSCP as root to edit anything you wish.

All the "don't login as root" idea is for people that can afford some of their time to use sudo. If you only allow root login with a passphrase-protected private key, the vulnerability surface is approximately the same (one private key needed + one password needed).

However I find highly debatable the assertion that the Putty approach is slower than WinSCP. It's faster for me - I don't know, maybe I don't know how to use WinSCP efficiently. Or maybe you need a refresher on your bash skills.

kubanczyk
  • 13,812
  • 5
  • 41
  • 55
  • I've ended up with this solution, as i've returned to using root as a user and a passphrase-protected private key, because WinSCP makes my life easier and it's important for me to use it without restrictions. I'm sure that you know how to use WinSCP efficiently, but i'm bad at Putty :) – Ljubisa Livac Jun 16 '18 at 16:44
0

Expanding on Veniamin's comment, an alternative to becoming root is to alter the permissions on config files such that your personal user can edit them.

Perhaps you create a wwwadmin user group and add yourself to it. Then create your web server configs in /etc/httpd/conf.d/ and make them writable by group wwwadmin.

You might also want to be able to restart httpd. You can create sudo rules that only allow that one service restart command as root.

Starting httpd as root is optional, too. You could override the systemd httpd.service to add CAP_NET_BIND_SERVICE (for ports < 1024) and to run as a different user and group. See the systemd.exec man page.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34