Making Admin Accounts More Secure

From Freespire

Home-->Documentation-->Hints & Tips-->Making Admin Accounts More Secure

Contents 1 Background 2 GUI Method 3 visudo Method - The Preferred Method 4 nano Method 5 Now Reboot or Do a Quick Restart 6 Using sudo or gksudo

Background

The default installation of Freespire 1.0 may allow certain malware to run as root without your knowledge when you are running as a user in the admins group (i.e. an Admin account) due to the way Freespire has implemented sudoers. This creates a security hole since malware that you may download unintentionally can have easy access to your complete filesystem. The malware could erase your whole hard disk, modify any file, replace any file or do a number of other nasy things.

There are a couple of solutions:

1) Never surf the internet etc or run a suspicious program when logged in as a user in the admins group (i.e. when using an admin account). (Not a great solution since people will do that either by mistake or without knowing the risks).

2) Disable sudoers and create a root account. But never use the root account for activities that do not require access to your complete filesystem. e.g. surfing the internet, writing emails, composing letters etc. Use a regular account for these activities. Only use the root account for the rare occasions when you need to run programs that require access to your complete filesystem. e.g. Installing software.

3) Fix how Freespire implements sudoers. By changing the /etc/sudoers file as descibed below, malware will not have easy access to your complete filesystem unless the malware knows the password of a user in the admins group. Malware is typically not that smart.

The rest of this tip focuses on solution 3. Please note that in a multi user or multi computer environment, the use of the visudo program is much preferred since visudo will lock the file properly during editing.

GUI Method

Using Root's Action:

1. Browse File Manager (Konqueror) to /etc
2. Right-click /etc > Actions > Root's Action > Browse (filemanager)
3. Browse to sudoers (/etc/sudoers)
4. Right-click > Open With > Kate
5. Change the line starting with %admins to the following:
   %admins ALL=(ALL) ALL
6. File Save (Ctrl+S)

visudo Method - The Preferred Method

Using visudo as follows:

1. Open up a terminal
2. Type "sudo visudo"
3. Type "i" to enter the insert mode of the vi editor.
4. Use the arrow keys and change the line starting with %admins to the following:
   %admins ALL=(ALL) ALL
5. Press ESC on your keyboard. Then type :wq <ENTER>

nano Method

1. Open up a terminal
2. Type "sudo nano"
3. # Use the arrow keys and change the line starting with %admins to the following:
   %admins ALL=(ALL) ALL
4. CTRL-X
5. Type "Y" to save the changes

Now Reboot or Do a Quick Restart

Reboot or do a quick restart. Now when you try to use sudo or gksudo, you will be prompted to enter your user password. Now simple Trojans and Virus programs will not have access to your complete filesystem without knowing your password of a user in the admins group (i.e. admin account).

Using sudo or gksudo

Use sudo in a Terminal when you want to launch a program that needs to be run as root. (The program being launched can either be a command line program or a GUI based program). You will be asked for your user password in the terminal before the program is launched.

Use gksudo when you want the prompt for the password to appear in a GUI dialog box. gksudo can be run in a terminal but it is typically run as a command in a menu item or as a command associated with an icon on your desktop. e.g. In order for the menu item for the Synaptic Package Manager to use gksudo, do the following:

1) Run the KDE menu editor. (Right Click on Launch and select menu editor)

2) Navigate to the Synaptic Package Manager entry. (Look under Settings - Additional Options. Or Look under Run Programs - Utilities)

3) Change the command in the Command Box in the top right of the window to "gksudo -u root /usr/sbin/synaptic"

You may want to modify other entries such as the Root Terminal in Run Programs - Utilities.

You should also note that the why sudoers generally works is that you only enter your pasword once. You don't need to enter it again unless you have stopped using it for 15 minutes. This does open up a security hole for 15 minutes. But you must weigh security vs. convenience. If you want, you can change the sudoers timeout to 0 to be even stricter. To do this, add 'timestamp_timeout 0' to the /etc/sudoers file.

For more info on sudoer, see Sudo in a Nutshell