LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 07-16-2007, 04:51 AM   #1
bakekelwa
LQ Newbie
 
Registered: Apr 2006
Posts: 3

Rep: Reputation: 0
How do i give root access to multiple users?


I'm running a Fedora Core 2 on my machine. I want to create 3 other users and i want them to have root privileges. How do i do this?
 
Old 07-16-2007, 04:54 AM   #2
fatzeus
Member
 
Registered: Nov 2004
Location: Venice, Italy
Distribution: Gentoo
Posts: 44

Rep: Reputation: 15
Just assign them UID 0. You must edit the file /etc/passwd

Typical Format:

username:x:UID:GID:INFO:HOME:SHELL
 
Old 07-16-2007, 05:10 AM   #3
b0uncer
Guru
 
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
That's something you really should not be doing. A machine only should have one administrator with root privileges, because if there are others with full permissions to everywhere, the system's security holes (which are never 100% filled) just multiply. The good way to let other users (than root) do some things with root privileges is to use sudo. There's this su command that people can use to become root, but that's just as stupid for several users, because then they would all need to know the root password, and you couldn't tell who of them did something because everybody used the same user. With sudo you can control who can use what command as root, and with or without his/her own password. Ok, it's not wise to let do anything without a password, but that's something you can do so I mentioned it also.

Most modern distributions should have sudo installed. What you do in order to use it, is edit /etc/sudoers and configure the user(s)/group(s) that you want to have access to some command (or all, but again, it's foolish to let access anywhere -> then they could access root account anyway, and your system was unsecure again). In some cases it's also needed for those users to belong to the sudo group to be able to use the command at all. After this is set up, the user can
Code:
sudo /sbin/somecommand_that_only_root_can_run
and they're prompted for their own password, after which the command is run with root privileges (without root login/password needed). When the commanded program exits, no root login is left open (you can specify a time for how long 'sudo' remembers you gave a password to it, so quick subsequent sudo's don't ask for password each time, only after specified time from last command).

Surely the other 3 users don't need root permissions for everything on the system. Better have one root account (for yourself, if you're the admin), and specify what the other 3 need to be able to do with root privileges, and then configure sudo so that they can only access those things. Be careful with sudo, if you let the users run something you didn't expect, they might gain root login anyway for example if you let them run 'su' with sudo, or a shell, they've got root login for everything...

Quote:
Just assign them UID 0. You must edit the file /etc/passwd
I don't think you could do that. UIDs are unique, or should be at least, and if the system permitted you to have multiple identical UIDs, you could start waiting for a catastrophe. What if somebody wanted to run something as UID=xxxx, but there were two accounts, with different permissions, that had the same UID? Your system couldn't figure out which one to use. It's just insane. I've never tried what happens if you do manually alter passwd and shadow (they've both checked!), but I don't expect it to be anything nice. Root has UID 0, others don't. Use sudo.

Last edited by b0uncer; 07-16-2007 at 05:12 AM.
 
Old 07-16-2007, 05:16 AM   #4
fatzeus
Member
 
Registered: Nov 2004
Location: Venice, Italy
Distribution: Gentoo
Posts: 44

Rep: Reputation: 15
b0uncer is right, anyway you could have multiple users with UID 0. The permission are store with UID so all works ok.
 
Old 07-16-2007, 05:31 AM   #5
bakekelwa
LQ Newbie
 
Registered: Apr 2006
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks for the advice. I'll try put your suggestions.
 
Old 07-16-2007, 03:48 PM   #6
jakykong
Member
 
Registered: Apr 2006
Location: Washington
Distribution: Debian Gnu/Linux Lenny on AMD64x2 (32-bit mode), an AMD Sempron 64 laptop, debian, 32bit
Posts: 101

Rep: Reputation: 15
I would like to assume you mean all 3 other users should have full root privelidges (like, maybe they're all for you, but for different purposes -- I have one for software development, web browsing, and school, personally).

In this case, you still don't want multiple users with UID 0. This just mucks up and confuses the whole system -- and as soon as you want to take root priveledges away, you have to chown every file that user owns (and it could be hard to locate them -- with that sort of priveledge, they could be anywhere!)

Sudo is still your best option.

There is a line at the bottom of the /etc/sudoers file, something like
root ALL=(ALL) ALL
(i might have the parentheses in the wrong place. I don't edit that file often.)
Just copy this line, and paste it right below changing root to the username.

This will allow that user to run any program as root using his password. I don't at all recommend this if you're actually running a multi-user system (in that case, specify a program.), but if you're just keeping things neat, it's a handy way to allow things to be done.
 
Old 07-17-2007, 02:13 AM   #7
bakekelwa
LQ Newbie
 
Registered: Apr 2006
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks for the replies. The deeper motivation in having 3 users with 3 accounts is to attempt to keep track of what changes each person makes. So is there software that keeps track of changes made on the system? Does linux keep track of changes made?
 
Old 07-17-2007, 02:23 AM   #8
b0uncer
Guru
 
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
You can use software like tripwire to hunt down modifications made to the filesystem.
 
Old 07-17-2007, 02:37 AM   #9
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Quote:
Originally Posted by bakekelwa
Thanks for the replies. The deeper motivation in having 3 users with 3 accounts is to attempt to keep track of what changes each person makes. So is there software that keeps track of changes made on the system? Does linux keep track of changes made?
One of the reasons for using sudo is that sudo logs each command. Using su doesn't. It can take work locking sudo down to prevent a user from running "sudo /bin/bash" or other commands that have shell escapes. For example, you wouldn't want these users running "sudo visudo" which would allow them to change the sudoers file. If they use vim as root, you need to only allow vim with the option that doesn't have the "!" shell escape. Sometimes the human relations aspect is more important than the technical security aspect. Only trust root access to users you trust not to do things like alter logs or abuse root access to read other users' files.
 
Old 07-17-2007, 02:54 AM   #10
b0uncer
Guru
 
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
Quote:
Only trust root access to users you trust not to do things like alter logs or abuse root access to read other users' files.
That's 100% true. Any techinical means can't provide a bullet-proof environment, the first and most important factor to think about in these things is "can I trust her/him". Still it doesn't hurt to use technical means to try and minimize the threat. I might be oldish, but I tend to think that only one person (the administrator of the machine) should have root access, and the rest should not. That's the first step to take, rest is up to the admin.
 
Old 07-17-2007, 04:37 AM   #11
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,978
Blog Entries: 11

Rep: Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879
One very elegant solution is to use sudo to give people access
to "rootshell" and log the activities to a remote host where
the potential root users don't have access to the file system.

As father Stalin put it:"Trust is good. Control is better!" :}


Cheers,
Tink
 
Old 07-18-2007, 05:26 AM   #12
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Don't you mean "Uncle Joe"?
 
Old 07-18-2007, 08:01 AM   #13
mobilemonkey
Member
 
Registered: May 2007
Distribution: slackware 11
Posts: 81

Rep: Reputation: 15
i use this method from LQ user 'odcheck' (thankyou )

http://www.linuxquestions.org/questi...46#post2394646

seems quite a nice and secure way to use sudo to me, but what do other LQ users make of it? are there any possible security issues associated with this method, or is there a way to tighten it up even further? just throwing this out there.

Last edited by mobilemonkey; 07-18-2007 at 08:05 AM.
 
Old 07-18-2007, 01:14 PM   #14
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,978
Blog Entries: 11

Rep: Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879
Quote:
Originally Posted by mobilemonkey
i use this method from LQ user 'odcheck' (thankyou )

http://www.linuxquestions.org/questi...46#post2394646

seems quite a nice and secure way to use sudo to me, but what do other LQ users make of it? are there any possible security issues associated with this method, or is there a way to tighten it up even further? just throwing this out there.
Allowing people to halt or reboot the machine is
hardly the equivalent of root access, though. To
do that you'd have to grant them ALL (whether it's
password protected or not doesn't really make much
difference). And once they have that they can
just 'sudo su -' or 'sudo -i', and away they go
with the only (easily manipulated) log being
.bash_history ....



Cheers,
Tink
 
Old 07-19-2007, 11:14 AM   #15
mobilemonkey
Member
 
Registered: May 2007
Distribution: slackware 11
Posts: 81

Rep: Reputation: 15
thanks tinkster, as you can guess im a bit of a noob. i need to look into it all a bit more
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to give access to KPPP to users other then root mystic_durle12 Linux - Newbie 5 06-30-2007 05:33 PM
give access to users Hern_28 Slackware 2 03-21-2007 02:29 PM
How to give non-root users access to mounted partitions? black hole sun Linux - Software 5 10-28-2004 05:52 PM
Give certain users more access to resources tearinox Slackware 2 05-21-2004 02:44 AM
How to give users access to installed program? Tiyogi Linux - Software 4 03-08-2004 07:49 AM


All times are GMT -5. The time now is 03:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration