LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-05-2010, 06:10 AM   #1
Winanjaya
Member
 
Registered: Sep 2003
Posts: 209

Rep: Reputation: 32
is it possible to deny root2 to change password of original root


I created 2nd root (root2) by running useradd -o -u 0 root2
is it possible to deny root2 to change password of original root?
please advise

thanks
 
Old 08-05-2010, 06:19 AM   #2
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 7,572

Rep: Reputation: 697Reputation: 697Reputation: 697Reputation: 697Reputation: 697Reputation: 697
No. You're off the map with root2.
A better option would be to userdel root2 and if you need a second 'root' make him a type of superuser. If, for instance, you had him alone as part of group root, you could adjust group permissions for things root owns so that the superuser can use them. Look at Kevux for a good example of how that is done. E£verything seems to be controlled by group stuff
http://kevux.org
 
Old 08-05-2010, 07:55 AM   #3
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,240

Rep: Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324
If you only need other user to do a few cmds, look into sudo
http://linux.die.net/man/8/sudo
 
Old 08-05-2010, 08:46 AM   #4
Winanjaya
Member
 
Registered: Sep 2003
Posts: 209

Original Poster
Rep: Reputation: 32
Actually, I want to give someone to remote my server for updating his application and also some of his MySQL databases and tables but I don't want to give him root's access rights.

any idea?

please advise

thanks
 
Old 08-05-2010, 08:57 AM   #5
diteshwithu
LQ Newbie
 
Registered: Aug 2010
Location: bangalore
Distribution: Redhat Linux
Posts: 3

Rep: Reputation: 0
if you dont want to give all the privileges,then you should go for sudo.
Here you can give the permission what you want to give .

configuration file is /etc/sudoers
 
Old 08-05-2010, 12:18 PM   #6
Winanjaya
Member
 
Registered: Sep 2003
Posts: 209

Original Poster
Rep: Reputation: 32
#visudo

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

test ALL = !NETWORKING


but user test still able to run /sbin/route

what I missed?
 
Old 08-05-2010, 12:40 PM   #7
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
and also some of his MySQL databases and tables but I don't want to give him root's access rights.
In case you weren't aware, MySQL users don't have anything to do with the system users. It is easy to give him a MySQL user that is completely restricted to the database he is using.


Quote:
but user test still able to run /sbin/route

what I missed?
Can user test still run route after a fresh login? Are you editing using visudo? That will give you clues if syntax is wrong.

Also, I would suggest using sudo to allow access to specific commands rather than deny them access. For example, since you haven't denied access to visudo, it is possible that test could use it to edit the sudoers file and give themselves access to the NETWORK commands.
 
Old 08-05-2010, 12:47 PM   #8
Winanjaya
Member
 
Registered: Sep 2003
Posts: 209

Original Poster
Rep: Reputation: 32
it does not warn me an error .

Can user test still run route after a fresh login? yes, and it does not work
Are you editing using visudo? yes
 
Old 08-05-2010, 07:01 PM   #9
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
OK, this is down to something trivial. I put your configuration into my sudoers file and it works, so there are no glaring errors. Maybe something in the spacing or a typo you missed? Here is what mine looks like:

Code:
Cmnd_Alias NETWORKING = /sbin/route,/sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

hangdog ALL = !NETWORKING
When I try to use sudo with any of those commands, it asks for the password and then denies access to the command.
 
Old 08-05-2010, 10:22 PM   #10
Winanjaya
Member
 
Registered: Sep 2003
Posts: 209

Original Poster
Rep: Reputation: 32
thanks, but how to only allow user to look into some folders only?

Last edited by Winanjaya; 08-05-2010 at 10:35 PM.
 
Old 08-06-2010, 01:36 AM   #11
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
for the mysql part, look at the mysql grant statement

The below allows 'youruser' when connected from the given ip-address '192.168.1.16 to select and insert data from/into all tables in the database 'yourdatabase'.

Code:
grant usage on yourdatabase.* to 'youruser'@'192.168.1.16' identified by 'somepassword'
grant select, insert on yourdatabase.* to 'youruser'@'192.168.1.16'
As the user has local access in your case, you can change the ip-address to 'localhost'.

I assume you can work it out from here.
 
Old 08-06-2010, 08:13 AM   #12
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
Originally Posted by Winanjaya View Post
thanks, but how to only allow user to look into some folders only?

You're going to have to explain what you're after a bit more fully. Folder access is usually handled by permissions, so a user only has access to folders they have permission to see. If you want to restrict users to specific folders you have to make sure that they are part of a group that can't see folders you don't want them in, and that the restricted folders aren't world readable. By the way, if this is related to the sudo part of the question, this is also an excellent example of why you want to grant access to specific commands rather than denying access to some. A user with the kind of sudo restrictions discussed in this thread could easily get around any folder permission restrictions.

If you'll post some details about what you want, I'm sure we'll come up with a more specific answer.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to change root password without knowing the grub password ramesh.mimit Red Hat 8 10-15-2011 06:12 AM
How could normal user obtain root password or change root password ckamheng Debian 18 02-18-2009 11:28 PM
Change my root password in Debian Linux if I have the current password? panseluta Linux - Newbie 2 12-28-2008 03:02 AM
Change root pw, i know the original one mopron Linux - General 2 04-22-2002 10:11 PM


All times are GMT -5. The time now is 10:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration