How do i give root access to multiple users?
I'm running a Fedora Core 2 on my machine. I want to create 3 other users and i want them to have root privileges. How do i do this?
|
Just assign them UID 0. You must edit the file /etc/passwd
Typical Format: username:x:UID:GID:INFO:HOME:SHELL |
That's something you really should not be doing. A machine only should have one administrator with root privileges, because if there are others with full permissions to everywhere, the system's security holes (which are never 100% filled) just multiply. The good way to let other users (than root) do some things with root privileges is to use sudo. There's this su command that people can use to become root, but that's just as stupid for several users, because then they would all need to know the root password, and you couldn't tell who of them did something because everybody used the same user. With sudo you can control who can use what command as root, and with or without his/her own password. Ok, it's not wise to let do anything without a password, but that's something you can do so I mentioned it also.
Most modern distributions should have sudo installed. What you do in order to use it, is edit /etc/sudoers and configure the user(s)/group(s) that you want to have access to some command (or all, but again, it's foolish to let access anywhere -> then they could access root account anyway, and your system was unsecure again). In some cases it's also needed for those users to belong to the sudo group to be able to use the command at all. After this is set up, the user can Code:
sudo /sbin/somecommand_that_only_root_can_run Surely the other 3 users don't need root permissions for everything on the system. Better have one root account (for yourself, if you're the admin), and specify what the other 3 need to be able to do with root privileges, and then configure sudo so that they can only access those things. Be careful with sudo, if you let the users run something you didn't expect, they might gain root login anyway :) for example if you let them run 'su' with sudo, or a shell, they've got root login for everything... Quote:
|
b0uncer is right, anyway you could have multiple users with UID 0. The permission are store with UID so all works ok.
|
Thanks for the advice. I'll try put your suggestions.
|
I would like to assume you mean all 3 other users should have full root privelidges (like, maybe they're all for you, but for different purposes -- I have one for software development, web browsing, and school, personally).
In this case, you still don't want multiple users with UID 0. This just mucks up and confuses the whole system -- and as soon as you want to take root priveledges away, you have to chown every file that user owns (and it could be hard to locate them -- with that sort of priveledge, they could be anywhere!) Sudo is still your best option. There is a line at the bottom of the /etc/sudoers file, something like root ALL=(ALL) ALL (i might have the parentheses in the wrong place. I don't edit that file often.) Just copy this line, and paste it right below changing root to the username. This will allow that user to run any program as root using his password. I don't at all recommend this if you're actually running a multi-user system (in that case, specify a program.), but if you're just keeping things neat, it's a handy way to allow things to be done. |
Thanks for the replies. The deeper motivation in having 3 users with 3 accounts is to attempt to keep track of what changes each person makes. So is there software that keeps track of changes made on the system? Does linux keep track of changes made?
|
You can use software like tripwire to hunt down modifications made to the filesystem.
|
Quote:
|
Quote:
|
One very elegant solution is to use sudo to give people access
to "rootshell" and log the activities to a remote host where the potential root users don't have access to the file system. As father Stalin put it:"Trust is good. Control is better!" :} Cheers, Tink |
Don't you mean "Uncle Joe"?
|
i use this method from LQ user 'odcheck' (thankyou :))
http://www.linuxquestions.org/questi...46#post2394646 seems quite a nice and secure way to use sudo to me, but what do other LQ users make of it? are there any possible security issues associated with this method, or is there a way to tighten it up even further? just throwing this out there. |
Quote:
hardly the equivalent of root access, though. To do that you'd have to grant them ALL (whether it's password protected or not doesn't really make much difference). And once they have that they can just 'sudo su -' or 'sudo -i', and away they go with the only (easily manipulated) log being .bash_history .... Cheers, Tink |
thanks tinkster, as you can guess im a bit of a noob. i need to look into it all a bit more ;)
|
All times are GMT -5. The time now is 01:07 AM. |