I've seen bits of peices of threads on this forum pertaining to my question, but I'll ask the question here, and perhaps this will be a guide for others as well as myself.

SSH is set up (I did passwd -l root) to block root acces via shell. However while logged in as user into shell you can obviously still sudo gainroot and su -. So what is the difference between that, and logging in as root?

My question is, what if you gave others access to user via shell, for whatever reason. Is there a way to block them from sudo gainroot and su - and ultimately giving root access to them?

Good general linux question and a somewhat philosophical question. There actually was a pretty good article on slashdot today about this as it relates to Mac OS X.

The way you control access to to resources on your system is via users and groups. There is no way I know of to have everyone log in using the same user name but give different people different privilege levels. You can force sudo to use a password and set it different than user.

But this is a wireless tablet PC, not a desktop or a server. Why would you be giving other people access to your system via ssh? If you really need a multi-user environment this is really an awkward platform for such a thing. But this is Linux, you don't need a good reason. You could set the system up as a file server if you wanted.
David

I see what you're saying. As I quote "...for whatever reason." I wasn't planning on doing it. BUT WHAT IF I WAS! hah. Like you said. It's *nix isn't it?

I will also add... What if, someone gains access to your user account *somehow* perhaps if you're at a hotspot wifi or something... they can gain root through user, while never logging in as actual root. Just a security thought. Not that i'd neccessarily be running ssh daemon at a hotspot :P. BUT WHAT IF I WAS! :P

There are many arguments for and against sudo etc... But the simplest is this:

Every Unix box has a root user. It may be disabled or not used but it is a common feature. Root is a "known target".

To hack your personal account on a unix box they have to guess your username and your password.

Actually I run the ssh daemon all the time on my 770 so I can do scp commands to push a file easily. But I gave user a password and I set up my system to authenticate using keys to make the process easier. If I was really security paranoid I would disable password login to ssh and require keys. Good luck hacking that. I'm sure it could be done but the level of effort it would require would not be justified on my system.
David