How do i give root access to multiple users?
 

I'm running a Fedora Core 2 on my machine. I want to create 3 other users and i want them to have root privileges. How do i do this?

Just assign them UID 0. You must edit the file /etc/passwd

Typical Format:

username:x:UID:GID:INFO:HOME:SHELL

That's something you really should not be doing. A machine only should have one administrator with root privileges, because if there are others with full permissions to everywhere, the system's security holes (which are never 100% filled) just multiply. The good way to let other users (than root) do some things with root privileges is to use sudo. There's this su command that people can use to become root, but that's just as stupid for several users, because then they would all need to know the root password, and you couldn't tell who of them did something because everybody used the same user. With sudo you can control who can use what command as root, and with or without his/her own password. Ok, it's not wise to let do anything without a password, but that's something you can do so I mentioned it also.

Most modern distributions should have sudo installed. What you do in order to use it, is edit /etc/sudoers and configure the user(s)/group(s) that you want to have access to some command (or all, but again, it's foolish to let access anywhere -> then they could access root account anyway, and your system was unsecure again). In some cases it's also needed for those users to belong to the sudo group to be able to use the command at all. After this is set up, the user can
and they're prompted for their own password, after which the command is run with root privileges (without root login/password needed). When the commanded program exits, no root login is left open (you can specify a time for how long 'sudo' remembers you gave a password to it, so quick subsequent sudo's don't ask for password each time, only after specified time from last command).

Surely the other 3 users don't need root permissions for everything on the system. Better have one root account (for yourself, if you're the admin), and specify what the other 3 need to be able to do with root privileges, and then configure sudo so that they can only access those things. Be careful with sudo, if you let the users run something you didn't expect, they might gain root login anyway :) for example if you let them run 'su' with sudo, or a shell, they've got root login for everything...

I don't think you could do that. UIDs are unique, or should be at least, and if the system permitted you to have multiple identical UIDs, you could start waiting for a catastrophe. What if somebody wanted to run something as UID=xxxx, but there were two accounts, with different permissions, that had the same UID? Your system couldn't figure out which one to use. It's just insane. I've never tried what happens if you do manually alter passwd and shadow (they've both checked!), but I don't expect it to be anything nice. Root has UID 0, others don't. Use sudo.

b0uncer is right, anyway you could have multiple users with UID 0. The permission are store with UID so all works ok.

Thanks for the advice. I'll try put your suggestions.

I would like to assume you mean all 3 other users should have full root privelidges (like, maybe they're all for you, but for different purposes -- I have one for software development, web browsing, and school, personally).

In this case, you still don't want multiple users with UID 0. This just mucks up and confuses the whole system -- and as soon as you want to take root priveledges away, you have to chown every file that user owns (and it could be hard to locate them -- with that sort of priveledge, they could be anywhere!)

Sudo is still your best option.

There is a line at the bottom of the /etc/sudoers file, something like
root ALL=(ALL) ALL
(i might have the parentheses in the wrong place. I don't edit that file often.)
Just copy this line, and paste it right below changing root to the username.

This will allow that user to run any program as root using his password. I don't at all recommend this if you're actually running a multi-user system (in that case, specify a program.), but if you're just keeping things neat, it's a handy way to allow things to be done.

Thanks for the replies. The deeper motivation in having 3 users with 3 accounts is to attempt to keep track of what changes each person makes. So is there software that keeps track of changes made on the system? Does linux keep track of changes made?

You can use software like tripwire to hunt down modifications made to the filesystem.

One of the reasons for using sudo is that sudo logs each command. Using su doesn't. It can take work locking sudo down to prevent a user from running "sudo /bin/bash" or other commands that have shell escapes. For example, you wouldn't want these users running "sudo visudo" which would allow them to change the sudoers file. If they use vim as root, you need to only allow vim with the option that doesn't have the "!" shell escape. Sometimes the human relations aspect is more important than the technical security aspect. Only trust root access to users you trust not to do things like alter logs or abuse root access to read other users' files.

That's 100% true. Any techinical means can't provide a bullet-proof environment, the first and most important factor to think about in these things is "can I trust her/him". Still it doesn't hurt to use technical means to try and minimize the threat. I might be oldish, but I tend to think that only one person (the administrator of the machine) should have root access, and the rest should not. That's the first step to take, rest is up to the admin.

One very elegant solution is to use sudo to give people access
to "rootshell" and log the activities to a remote host where
the potential root users don't have access to the file system.

As father Stalin put it:"Trust is good. Control is better!" :}


Cheers,
Tink

Don't you mean "Uncle Joe"?

i use this method from LQ user 'odcheck' (thankyou :))

http://www.linuxquestions.org/questi...46#post2394646

seems quite a nice and secure way to use sudo to me, but what do other LQ users make of it? are there any possible security issues associated with this method, or is there a way to tighten it up even further? just throwing this out there.

Allowing people to halt or reboot the machine is
hardly the equivalent of root access, though. To
do that you'd have to grant them ALL (whether it's
password protected or not doesn't really make much
difference). And once they have that they can
just 'sudo su -' or 'sudo -i', and away they go
with the only (easily manipulated) log being
.bash_history ....



Cheers,
Tink

thanks tinkster, as you can guess im a bit of a noob. i need to look into it all a bit more ;)