LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-20-2012, 12:35 PM   #1
smilemukul
Member
 
Registered: Jun 2009
Distribution: Redhat,CentOS,Ubuntu,Puppet
Posts: 292

Rep: Reputation: 34
How to hardcode a system's hostname or serialnumber


Hi,

How to hardcode a system's hostname or serialnumber as,

dmidecode -s system-serial-number

so that no one can change the system's hostname

Any solution will be appreciated
 
Old 03-20-2012, 04:01 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
I don't understand what you're asking; anything can be changed if it is
accessible. The systems serial may be changeable if one can swap the
motherboard ...

Last edited by Tinkster; 03-20-2012 at 04:02 PM.
 
Old 03-20-2012, 10:18 PM   #3
jefro
Moderator
 
Registered: Mar 2008
Posts: 15,374

Rep: Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198
Why are admins running around changing hostnames?

Or more correctly, why do people have too much access granted to do that task?

I suppose you could create a network script that has to be run that checks it.

Guess you could create one of those security keys that somehow did it.

Anyone with physical access could change it unless the folder was encrypted.

Last edited by jefro; 03-20-2012 at 10:20 PM.
 
Old 03-21-2012, 02:45 AM   #4
smilemukul
Member
 
Registered: Jun 2009
Distribution: Redhat,CentOS,Ubuntu,Puppet
Posts: 292

Original Poster
Rep: Reputation: 34
jefro, I agree with you but i want to restrict changing hostnames from root as some of the users/team require the root access (admin root access) to perform there task. Can you elaborate more or give example to encrypt the folder or create security keys ?
 
Old 03-21-2012, 03:26 AM   #5
smilemukul
Member
 
Registered: Jun 2009
Distribution: Redhat,CentOS,Ubuntu,Puppet
Posts: 292

Original Poster
Rep: Reputation: 34
How to restrict sudoers file access for root

Hi,

How to restrict sudoers file access for root through pam ?

Any solution will be appreciated other then chmod or chattr.
 
Old 03-21-2012, 03:30 AM   #6
fukawi1
Member
 
Registered: Apr 2009
Location: Melbourne
Distribution: Fedora & CentOS
Posts: 854

Rep: Reputation: 190Reputation: 190
huh?
 
Old 03-21-2012, 03:31 AM   #7
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295
Hi,

It would be helpful if you provide a bit more background information on what exactly you want to do. Root is 'all powerful' and has access to everything on a system. So please clarify what you want to obtain since prohibiting root from accessing the sudoers file will not be possible in my opinion. You could limit access using chattr but you indicated that's not what you want.

Kind regards,

Eric
 
Old 03-21-2012, 03:50 AM   #8
smilemukul
Member
 
Registered: Jun 2009
Distribution: Redhat,CentOS,Ubuntu,Puppet
Posts: 292

Original Poster
Rep: Reputation: 34
Actually there are 3000+ users in my network & some users have the admin access to perform there task so to secure systems in the network were they could not modify hostname & sudoers files.
 
Old 03-21-2012, 04:40 AM   #9
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295
Hi,

Looking at it from that point of view I'd enforce using a configuration controlled by you for sudoers by setting it up with Puppet for example. But again, if they have the admin password they could easily disable the puppet client so you'd have to respawn it which could also be 'edited' by the root user. I strongly suggest you to limit root access to the minimal number of people possible and configure sudo to give extra permissions to additional users but limiting them to the strict minimal commands necessary. I've recently encountered the same problem (with less users) and have it set up with puppet and limiting access with sudo to a limited set of commands. Permissions to files I've set with ACLs. In my situation there are only three guys who have the root password and about 25 who use the same environments with sudo where needed without any problems.

Kind regards,

Eric
 
Old 03-21-2012, 07:30 AM   #10
smilemukul
Member
 
Registered: Jun 2009
Distribution: Redhat,CentOS,Ubuntu,Puppet
Posts: 292

Original Poster
Rep: Reputation: 34
Thanks for the info.. actually I am using puppet & want to restrict the root user for so that the hostname cannot be changed temporary or permanently because as doing so puppet will pick the modified hostname & due the same the certs will get signed.
 
Old 03-21-2012, 12:39 PM   #11
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295
Hi,

Does that mean that you're automatically signing the certs? In this case you could deactivate autosigning to avoid that problem OR, more adequate, if you have that possibility, would be to force based on domain name. This would force the same sudoers configuration on whatever host in that domain and you can to keep the autosigning active. But you'd still stay in the same vicious circle, they could disable the puppet service. Best solution in my opinion is to change the admin password and limit them by configuring sudo more specific to their needs.

Kind regards,

Eric
 
Old 03-21-2012, 04:17 PM   #12
jefro
Moderator
 
Registered: Mar 2008
Posts: 15,374

Rep: Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198
See this for how to limit these users. They have too much if they can simply just su and go wild. http://www.cyberciti.biz/tips/allow-...s-as-root.html



I never tried it but it may be possible to encrypt that file or folder so that only the OS can open it or some authenticated user. This still goes back to you gave idiots too much power. Who would change a hostname? For what reason? I'd suspect foul play.
 
Old 03-21-2012, 05:12 PM   #13
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Quote:
Originally Posted by jefro View Post
See this for how to limit these users. They have too much if they can simply just su and go wild. http://www.cyberciti.biz/tips/allow-...s-as-root.html



I never tried it but it may be possible to encrypt that file or folder so that only the OS can open it or some authenticated user. This still goes back to you gave idiots too much power. Who would change a hostname? For what reason? I'd suspect foul play.
You can't encrypt /etc ... no one would be able to use the machine at all.
 
Old 03-21-2012, 05:24 PM   #14
Sydney
Member
 
Registered: Mar 2012
Distribution: Scientific Linux
Posts: 147

Rep: Reputation: 36
How about give them sudo access to only the commands they need. You should be able to man sudo for more information on how to use it for that effect.
 
Old 03-21-2012, 08:21 PM   #15
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Quote:
Originally Posted by smilemukul View Post
Actually there are 3000+ users in my network & some users have the admin access to perform there task so to secure systems in the network were they could not modify hostname & sudoers files.
The answer to this is not how to restrict access to the sudoers file, but
to modify the sudoers file so these users w/ elevated privilege levels
can do only a few well defined things; sudo - and sudo su <-> shouldn't
be among them; EVER!



Cheers,
Tink

Last edited by Tinkster; 03-21-2012 at 08:23 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
I screwed up sudoers and I haven't root access. nomikos Linux - General 3 02-12-2011 12:42 PM
Restrict NFS access to root sudhirav Linux - General 1 08-13-2010 06:12 AM
how to restrict programs to root access only manuleka Linux - Newbie 8 06-24-2009 10:17 PM
restrict access to root / yogaboy Linux - Newbie 4 12-31-2006 09:17 AM
restrict internet access to the root only anubhuti_k Linux - Security 1 02-15-2005 01:59 AM


All times are GMT -5. The time now is 02:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration