Chris Green <c...@isbd.net> wrote: > Dan Ritter <d...@randomstring.org> wrote: > > Chris Green wrote: > > > I'd like to force a different password from my own password when I do > > > 'sudo -i' to get root privilege. However I'm a bit frightened about > > > what might happen if I set 'Defaults rootpw' in the sudoers file but > > > forget to actually create a root password. (This is on systems where, > > > previously, I've never had a root password). > > > > > > Would this totally lock me out from becoming root? Would the only way > > > out be to boot into single user mode to mend things? > > > > Mostly, yes. > > > > > > > ... or is visudo clever enough to spot this? > > > > No. > > > > How about this: > > > > Create a second user -- we'll call it foo. Give foo sudo > > privileges. Take away sudo privileges from your normal account. > > > > Now, when you want to do something with root privileges, you ssh > > to localhost as foo: > > > > ssh foo@localhost > > > > give foo's password to login, then run sudo, giving foo's > > password again. > > > > Never use foo or foo's password in any other context. > > > > Does that solve your issue? > > > Yes, good idea, also suggested by the other reply. A new/different > user with sudo rights will be insurance against the above problem and > might even be a sensible alternative. It would have the advantage of > not changing the default sudoers configuration too. > Ah, but... Of course a different user with sudo rights won't protect against the above problem as the 'Defaults rootpw' will still demand the non-existent root password.
However a second user with sudo rights and no sudo rights for the main user would achieve what I want. -- Chris Green ·
