LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 04-10-2013, 11:05 AM   #1
techux
Member
 
Registered: Mar 2013
Posts: 49

Rep: Reputation: Disabled
Admin users/group and active directory


Hi guys.

back some years when I was learning linux, one thing I found is there were only 2 types of linux user: users without any permission and root.

and one way to have "administror" permissions was set the UID for the user as 0.

Is there any way to control this, I would like to have some admin users but without giving them all permissions. and some other with the level of access as root.

The systems are Centos, maybe redhat and debian.

I have been using google but I found that at least for ubuntu you can control it with which users can sudo X things..

In the other hand, we would like to authenticate some user with our active directory. But NOT every user should be able to access our linux boxes, just some of them.

What track should I follow? so I can start following it.

thanks
 
Old 04-10-2013, 11:16 AM   #2
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , Solaris 10, RHEL
Posts: 1,927
Blog Entries: 1

Rep: Reputation: 176Reputation: 176
Definitely look into sudo and (on the Red Hat servers) the /etc/security/access.conf

--C
 
Old 04-10-2013, 05:28 PM   #3
techux
Member
 
Registered: Mar 2013
Posts: 49

Original Poster
Rep: Reputation: Disabled
Thanks. I would check that.

I found sudo, it could work for the moment.

but is there any way to allow all commands and forbid users using sudo -i, or -s or sudo su...


some users will need access to root commands... while they use sudo we can track what commands they execute... but if they switch to root using sudo -i or sudo su, it would be more difficult to track..

any ideas?
 
Old 04-10-2013, 07:06 PM   #4
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , Solaris 10, RHEL
Posts: 1,927
Blog Entries: 1

Rep: Reputation: 176Reputation: 176
Quote:
Originally Posted by techux View Post
Thanks. I would check that.

I found sudo, it could work for the moment.

but is there any way to allow all commands and forbid users using sudo -i, or -s or sudo su...


some users will need access to root commands... while they use sudo we can track what commands they execute... but if they switch to root using sudo -i or sudo su, it would be more difficult to track..

any ideas?
Make the use of aliases and deny that functionality.

Something like this...

Code:
Cmnd_Alias SHELLS = /bin/bash, /bin/tcsh, /bin/csh, /bin/zsh, /bin/ksh, /bin/sh
%admins        ALL=(ALL)       ALL,!SHELLS
user1        ALL=(ALL)       ALL,!SHELLS
This will allow you to run all commands...but not drop into a shell.

Although this isn't recommended. The recommended way is to choose a finite list of commands to allow to run. "ALL" isn't good practice.

For instance...even with the above configuration...I can do this.

Code:
sudo vi /tmp/file
Then all I need to do is

Code:
:sh
And it'll drop me into a root shell.



--C
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba smb.conf Windows users 'admin group'? Nick_C Linux - Networking 0 01-23-2013 11:44 PM
Users in Domain Admin group (512) don't have admin rights on windows machine nandon Linux - Networking 2 01-21-2013 07:24 AM
Active Directory Integration (Winbind)-- Cannot find name for group ID grungerokker13 Linux - Server 1 12-08-2011 10:03 AM
apache active directory require group.. zerocool22 Linux - Server 0 05-06-2008 03:38 AM
Sudo - Active Directory group not recognized nilecirb Linux - Networking 4 08-28-2006 11:09 PM


All times are GMT -5. The time now is 10:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration