Does anyone know how I can grant users access to all root privileges, except allowing them to su?

I want to be to monitor and track who changes what.

Thanks,

Jahnieboi

Configure SUDO, that is meant to give all privilege for a user as root user and still not allowing him the root access direct.

About monitoring who changed what, I do not think there is any way of doing it as far as I know.

But I would give you one idea - Change the root password so that your prospective root user would not know it. Also add his user id to have a SUDO access. And if you need to know if any file changed, you can see when was the last time the file was modified and also when was the last time the user logged into the system. And if you matches, it would mean he was might have modified it.

Just an idea.

Do not allow sudo access to vi or emacs!

These (and many other applications) allow you to drop down to a shell prompt, thus gaining full root privileges.

The basic rule is to give only as much access as they need.

What privileges do you exactly want them to have? If you want to give them sudo ALL, well, they're going to have root on your machine. If you just want them to be able to run certain commands with privileges, your sudoers file should have many examples of how to do that.



Try running `sudo su -`. No root password required.

Take a look at the sudoers man page:
Vim has a restricted version (rvim) which doesn't allow escaping to the shell or executing commands.

However, this is just an advisory restriction. A sudo user could simply copy a file (such as /bin/bash) to one with a different name. The solution may be a political one rather than technical. Allowing nearly any command and plugging holes in programs like vim, and controlling the environment will not be bullet proof.

Be careful who you allow to use sudo.
It may be too difficult to restrict su'ing to root. It would be easier to allow a group to execute a set group of commands.

If what you want to do is allow regular users to perform some tasks such as mounting a drive, look at PolicyKit. You can make a distinction such as whether the user is on a local terminal, or logged in remotely.

oops .. my bad

You are doing it wrong. Users never need admin rights.

In fact admin's don't need it except to perform admin tasks.

That is why there are admins and plain old users.

Thank you all for responding. After careful research, I have found that you can specify entries in the sudoers files to exclude commands.

I have made these entries, forcing everyone to type in there passwords to execute admin commands. I have also denied them the ability to remove their own .sh_history file, so that the "root" account can view them for history.

Example: ALL=ALL, !/bin/su root, !/bin/rm .sh_history and etc... I had added a lot more stuff, but you get what I am doing.

I have then taken away the read privileges on the sudoers file, so that only "root" can see it.

This may be the long way, but this is the only way I know how to do the job and I understand that it will only be as secure and effective on how I configure it, so I am trying to think of all possibilities and holes in this method.

Thanks for spending the time to reply to my post. I really appreciate all of your efforts!

I see what you're trying to do, but the way you're trying to do it is a losing battle. Things I would do on your system:

1. I don't know if bash lets you configure where your history is saved, but if users can chsh, other shells store it elsewhere. I know for a fact that my shell, zsh, will let you store your history anywhere you can write, include /dev/null.
2. If I can sudo any editior, taking away read privileges on sudoers for non-root users will present only a moment's interruption when the unprivileged attempt fails.
3. If I can sudo any editor (or even sed or Perl), I'd add a line to the bottom of root's .bashrc that would run a script in my homedir (say, hidden as my .bashrc) that could do anything, no matter what you blacklisted, because it would be run by root proper the next time you su -'d. Making said script remove said line from said file afterwards would be trivially easy.

In short, you don't want blacklisting because you CANNOT anticipate even most possible attacks. You want whitelisting. What do your users actually need privileges for? Anything?

Look up the principle of least privilege for a highly relevant read.


Edit: It doesn't matter.