I tried setting users.users.root.hashedPassword = "*"; similar to sudo passwd -d root or user { 'root': password => '*', require => Package[ruby-shadow], } in Puppet , but after sudo nixos-rebuild switch I'm still able to su - with the old password.

In the Ubuntu 24.04LTS release, all users (including those not in the sudoers group) who log in and use commands such as whoami, id - un, and view UID will be displayed as root users with root privileges, even if the username displayed after logging in is a normal regular username. Therefore, ordinary users are able to write files as root in restricted directories (such as system folders or other user directories). This completely confuses the permissions of the entire system. Here's an example user:

getent passwd fsy
fsy:x:1001:1001:,,,:/home/fsy:/bin/bash

Does anyone know how to solve this problem ...

I have **/home/myuser/Desktop/rc/.netrc** file that i want hardlink to **/root**, ie home directory of **root** user. When i do: ln /home/user/Destkop/rc/.netrc /root it gives the following error: > ln: creating hard link /root/.netrc' => .netrc': Invalid > cross-device link but it works when i hardlink the file to **myuser**'s home, ie to **/home/myuser**. So, what's the problem, why it says invalid cross-devices when there is only one file system here? **PS.** I am using **RHEL6**

I have a particular use case, where I want to extract a tar archive (as root) and intentionally overwrite some destination file(s) with the contents of the archive. This is all fine and easily achievable, but I also want to retain the original ownership and permissions of the original destination file(s). As an example:

$ touch file && tar cf test.tar.gz file &&
  sudo chown www-data:www-data file &&
  sudo tar xf test.tar.gz && ls -l file
-rw-r--r-- 1 tim tim 0 May  1 11:26 file

Here I create a file as my user (tim:tim), archive it, change its ownership to www-data:www-data, then (as root) extract the archive, overwriting the original file. As you can see, its ownership has been modified to that of the file in its pre-archived state, whereas post-extraction, I want it to be owned by www-data:www-data. I've had a fairly close look at the tar man page, but can't see an immediately obvious way to do what I want. Am I missing anything?

I'm having problem of directory due to a typo in a command I wrote in my command I made a typo while writing this command chsh -s/usr/local/bin/bash/ instead of using this chsh -s/usr/local/bin/bash because of that, when I want to use the su command I receive not a directory error and I didn't know that to do. chsh -s/usr/local/bin/bash in order to solve it my self, but it gave me this error: pwd_mkdb: warning, unknown root shell, and displayed chsh: user information updated. But the issue persisted. **Additional info:** Os NAME=FreeBSD;VERSION="13.3-RELEASE-p4";VERSION_ID="13.3".

I am trying to set up a Linux machine with LDAP authentication and root account enabled. There is no issue with the LDAP server and everything works fine. I wanted to disable local users, so I tried editing PAM. I tried using pam-auth-update and unticking the "Unix authentication". Local users are successfully denied, but so is the root account. I am now trying different things at the pam.d files, but it seems I screwed up multiple times and don't know what am I doing. Editing the /etc/pam.d/common-auth file:

auth		sufficient	pam_rootok.so

After I added this line, there is no password prompt and it logs in directly.

auth     pam_succeed_if.so    uid = 0 quiet

I added this line and it does nothing. I am now reading the PAM configuration.  Could anyone help me understand and solve my problem?

In my RHEL 7.8 server, I have allocated 100GB for /root. I need more space because I need to install more software that will be available systemwide for all users. I am new to Linux and not very familiar with the system. My questions are: 1. If I want to increase my /rhel-root, what should I do? 2. If I can't increase the space, how can I change the download and software Installation location? 3. For case 2, is there anything else I need to do so my users have access to the installed software? Thanks a lot for your time!

Today I downloaded the latest VMware image of Kali Linux (Kali Linux 64 bit VM ). After that, I configured the hostname in /etc/hostname and adapted also the /etc/hosts to set permanently a hostname. Then, I executed the following commands: apt-get upgrade && apt-get update dpkg --add-architecture i386 apt-get update apt-get install wine32 apt-get install clamav apt-get install clamav-freshclam and rebooted afterwards. Then, something strange happened. I was no longer able to login with the default credentials root and toor. Although, I did not get the error message Sorry, that didn't work. Please try again., I could not get past the login screen. However, I noticed that I am able to login when selecting GNOME on Wayland and also booting in recovery mode. Any idea what is causing this issue?

I'm using Debian linux. When ever I try to mount a NTFS HDD, it asks password to root. How can I give root permission permanently?

encountered this on Metasploitable 2 **Give root password for maintenance (or type Control-D to continue):** The default root password of **msfadmin** isn't working. It keeps saying login incorrect. Please what is the correct password and how do I resolve this

As far as I know, sudoedit gives a user permission to edit a file that is owned and writable by root. It makes a copy of that file, the copy is owned by the user, and then it spawns a text editor with the privileges of the user. In this way, it avoids the dangers of running a text editor as root (shell escapes). On the other hand, visudo also makes a copy of the sudoers file. However, that copy is owned by root and it spawns a text editor with root privileges. Also, on a Debian 12 system I tried, you can get a root shell from within visudo: it spawns an instance of nano and via the _Execute_ option in nano you can get a shell escape. For example, if you type cat /etc/shadow to _Execute_, it works. Why does visudo spawn a text editor as root? Why can't it do what sudoedit does (make a copy owned by the user, spawn a text editor as the user)? Wouldn't that be more secure? At least, shouldn't it block shell escapes from within the text editor that it spawns as root? Why doesn't it do that?

When setting up a Podman machine in Podman Desktop app, one of the features is "Machine with root privileges". I am inclined to disable that because I am using Podman for safety, to insulate contained software isolated away from my host Mac. The documentation says nothing helpful: >Machine with root privileges: Enable to use the rootful connection by default. Required to use Kind on Windows. If I disable "Machine with root privileges", what will I be giving up?

I am trying to add user e.g. amit to group amit,as below. root# groupadd -g 1500 -f amit root# useradd amit -m -G sudo -u 1500 -g 1500 -o -p "amit" However, when I try to switch to user amit it gives out the message as below: root# sudo su - amit sudo: Account or password is expired, reset your password and try again Changing password for root. May I please know, why am I getting this message, what should I do in order to avoid getting this message and get directly switched to amit user.

I'm trying to understand whether it's possible to map two users from a **user namespace** to two different users on the host. The goal is to replicate the same permissions I have on my host inside a rootfs (Ubuntu base, because I'm trying to build a container from scratch). For example: - Everything under / should belong to root. - /home/user should belong to the regular user. To achieve this, I was thinking of using UID mapping in a user namespace, something like:

UID in user namespace      ---> UID on host
      1000 (admin)         ->       0 (root)
      1001 (bob)           ->    1001 (bob)

Is this kind of mapping even possible? Here’s what I’ve already tried: - Running echo -e "1000 0 1\n1001 1001 1" > /proc/[PID]/uid_map to define the mapping, but I get an error. - Trying to manually modify /proc/[PID]/uid_map using newuidmap for each user. However, I’ve never been able to map more than one user, and I can’t seem to map UID 0 (root) at all. I’ve read the man pages and followed the constraints mentioned there, but I’m still getting error messages. For example:

# terminal 1

unshare --user bash
echo $$ # 11591

# terminal 2 as user 'alex' (uid = 1000)

newuidmap 11591 0 0 1
# newuidmap: uid range [0-1) -> [0-1) not allowed

newuidmap 11591 1001 1001 1
# newuidmap: uid range [1001-1002) -> [1001-1002) not allowed

These commands fail, even when run with sudo. I also tried mapping to subuids that I’ve declared, but it still doesn’t work:

cat /etc/subuid

alex:100000:65536
root:200000:65536
self:300000:65536

cat /etc/subgid

alex:100000:65536
root:200000:65536
self:300000:65536

I am new to PAM and its quite complex to pinpoint a specific module or config file, thus asking this. I want to allow root access only from the console i.e if someone is physically present on that system. When someone tries any ways of remote login to root(even if he has the correct password) like ssh, telnet, etc(any means), it should not be allowed. Only when the console is accessed, the root access should be granted on correct password. How do i achieve this by using PAM ?

Everything I am reading says that for chroot to work with sftp root has to own the folder. I want to make it so a user can only sftp to a sub-directory in their home folder like /home/user/some/folder. Obviously ro

Is there a way to run/debug my Java program from Netbeans as root? Context: I'm working on RaspberryPi 4 and using PI4J library to access GPIO. Lib offers several I/O Providers and the only one that covers all my use cases (digital input, digital output, SPI) is PiGpio which according to documentation requires that any app using it is run with sudo - otherwise when trying to access GPIO results in a crash with an exception Exception in thread "main" com.pi4j.library.pigpio.PiGpioException: PIGPIO ERROR: PI_INIT_FAILEDl pigpio initialisation failed The first thing I tried is running Netbeans from terminal using sudo netbeans, but that results with IDE opening in an empty window with no user interface and warnings in terminal: WARNING: package com.apple.eio not in java.desktop WARNING: package jdk.internal.opt not in java.desktop WARNING: package com.sun.java.swing.plaf.windows not in java.desktop WARNING: package com.apple.laf not in java.desktop So that didn't work. Is there something else I could try to run my program from Netbeans as root?

Adding any user to root group seems like something not safe, but is it? Here is my use case. I have PHP application that connects to Postgres database. Application is dockerized and run in container inside GCP Cloud Run service. Postgres database requires client SSL certificates to connect. I have CA, cert and key files inside GCP Secret Manager. When deploying Cloud Run service I'm mounting those files inside app container as volumes. All files are mounted with owner and group root:root. However, the application is running as www-data:www-data user. Because of this PHP complains that it cannot read the SSL key file. Those files are mounted as read-only and I can only change file mode while mounting, but not ownership. What I did to fix this was changing files mode to 0640 and adding www-data user to root group. All works fine but **is it secure**? App image uses Debian Bookworm as base.

I'm having an unusual problem. I created the user, and, I thought, set it's password. For additional context, this is in a production environment, and we are using RHEL 8.10

[root@computer ~] useradd user -G wheel
[root@computer ~] passwd user
New password:
BAD PASSWORD: blah blah
Retype new password:
passwd: all authentication tokens updated successfully

All wheel users have the ability to SSH into this server. When I attempted to SSH into the server using the new credentials, I get "bad password" error. Okay, so I attempt to login into the machine directly using the tty, once again, bad password. I log back in as root, and attempt to reset the password, this time verifying that I am inputting the correct password. Once again I am denied logging in due to bad password. I then attempted to log in with my own user account, and got denied because bad password. This is very unusual, as I am able SSH into the server using my personal user with the same credentials that got denied. I'm stuck between this being a simple user error, or if there's Linux configuration options (specific to RHEL 8) that would prevent new passwords to be written. I thought that maybe / is mounted as read-only, but I'm able to touch new files to /etc. Addtionally, mount -l | grep "ro" does not list the root partition as read-only. Any ideas to check would be greatly appreciated. EDIT: I also just realized, if it was a read-only problem, the new user I created wouldn't have been registered. I verified the user was created and added to the correct group via cat /etc/passwd and cat /etc/group

I recently experienced a Mass Email attack where someone "sniffed" my email and was using it as a "From:myemail@email.com" in the mass attack. I believe my email info get sniffed because I enabled IMAP, used SSL instead of TLS, among other things. But I also got lazy with root user in my dockerfile. I'm a data engineer and not a linux pro. I'm sharing a dockerfile that I'm extending from apache-airflow after running a build command. **Can you please help me do something other than "USER root" below? How can I make everything just the "myuser"?**

FROM apache/airflow:latest
COPY --chown=myuser:root requirements.txt /
USER root
RUN apt-get update
RUN apt-get install -y --no-install-recommends vim
RUN apt-get install libmysqlclient-dev
RUN apt-get autoremove -yqq --purge
RUN apt-get clean
RUN rm -rf /var/lib/apt/lists/*

USER myuser
ENV PYTHONPATH=/usr/local/bin/python:...
RUN export PATH=$PATH:$PYTHONPATH
RUN pip install --upgrade pip
RUN pip install --no-cache-dir -r /requirements.txt

I tried removing chown and starting with USER myuser instead of root, but I got a permission denied error when running the first RUN apt-get... commands.