LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-14-2003, 09:57 AM   #1
FatSteve
LQ Newbie
 
Registered: Nov 2003
Distribution: Red Hat 9
Posts: 4

Rep: Reputation: 0
Post Giving users more rights (Admin)


I have 2 problems.

1. I need to give 2 users the same rights as root. The policy in place in our company is that you are not meant to use admin accounts. you have to have accounts with those rights so that actions can be accountable to a person.



2. I need to be able to set up a user that can administer other users passwords. I need a user to have persmissions to be able to reset passwords of other users so that a root login is not needed.

Any help would be appreciated, but please bear in mind i am trying not to use the root account or the su command.

TIA

Steve
 
Old 11-14-2003, 11:04 AM   #2
Blinker_Fluid
Member
 
Registered: Jul 2003
Location: Clinging to my guns and religion.
Posts: 682

Rep: Reputation: 63
Just had this thought of a Windows security person trying to say how a *nix system should run...

It sounds like you want 2 accounts that are root equivalents and it also sounds like these 2 accounts will have people logged in so they are basically root all the time. (back to the all users are admins in windows...)
There are other things that I would rather do than have 2 people always running with root privelages... restrict root so users cannot directly log in as root, set up a script to email you every time someone logs in to root, archive/send to another source /var/log/messages, probably more but I'm still waking up.

I worked at one company that had some AIX systems running where occasionally the DBAs would need to run a root command. They used something like sudo except everytime they ran the command an email was sent to the system administrators at the moment it was run. The email contained the command that was issued. This would be my preference instead of having 2 users running with root privs.
 
Old 11-14-2003, 12:42 PM   #3
cyph3r7
Member
 
Registered: Apr 2003
Location: Silicon Valley East, Northern Virginia
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238

Rep: Reputation: 30
It's like any other group permissions. Unfortunately I don't know which group will be able to modify accounts since I lazily added mine to wheel.
 
Old 11-15-2003, 08:42 PM   #4
Aurix
LQ Newbie
 
Registered: May 2002
Location: QLD, Australia
Distribution: Debian/Redhat
Posts: 14

Rep: Reputation: 0
Alternatively, you should look into the sudo command.

sudo allows you to allow users to run particular commands as other users (such as root). Any usage of sudo is logged, and seems to suit what you need.

Cheers.
 
Old 11-16-2003, 08:03 AM   #5
FatSteve
LQ Newbie
 
Registered: Nov 2003
Distribution: Red Hat 9
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks for the help I think the sudo command will work for the password admins.

I am not sure if it would for the administrators though (yes you are getting visions of Windows). The accounts with root privileges would only be used when it is needed to login and perform an admin task (Adding printers etc) so the 2 admins would not be always logged on with root privileges.

It is basically down to the auditors in the company wanting accountability for actions. If say I logged on as root and removed a file there is no way of telling that it was me that logged on and did it.

From a windows point of view the procedure is that th admin password is locked in the safe and noone knows it with individual admin accounts being set up with a unique password for each user. If a login as root is needed then the pasword would beknown to more than one person.

Cheers

Steve
 
Old 11-16-2003, 04:00 PM   #6
Aurix
LQ Newbie
 
Registered: May 2002
Location: QLD, Australia
Distribution: Debian/Redhat
Posts: 14

Rep: Reputation: 0
Gday Steve,

I don't think you fully understand how sudo works.

Sudo will provide accountability, as it logs (in /var/log/messages in most cases) all use of the command, and what command which user executed.

Read up on sudo, it can do what you need =)


Cheers mate.
 
Old 11-17-2003, 09:29 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,492
Blog Entries: 54

Rep: Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910
Try not to see "root" as an account but as a set of capabilities. You know those capabilities are most powerful, irreversible when applied to accounts (and coveted by anyone who doesn't have them).
Allowing root privileges to be handled by more than one account multiplies risks of handling root's tasks. It isn't part of "best practices", regardless of what your companies policies say. Almost any solution would be qualitatively better than allowing this to happen. Sudo should not be an alternative but your first choice.

BTW, do I get it right the company doesn't trust (skilled)? admins?


Sudo will provide accountability, as it logs (in /var/log/messages in most cases) all use of the command, and what command which user executed.
Running sudo paired with some auditing tools may help you make a case for Sudo. For commands that handle like editing device configuration you should write a wrapper or a front-end to validate input and config consistency, patch the kernel with LIDS or Grsecurity. This will allow you to ACL the system and processes to the point where even root can be denied access to Do Stuff and adds auditing capabilities (in the case of Grsecurity). Next set up an LD_SO_PRELOAD environment which loads libraries that log deletions, or use syscalltracker.
Top if of with setting the immutable bit on system binaries and configs to protect against "casual" deletion, harden the shell's configs, add filesystem integrity checking to keep a tab on changes and add remote logging. I use a custom vi wrapper to edit configs. It respects extended file attributes (immutable, undelete etc), allows me to do a rollback and provides me editing history.


What we try to say is, exhaust Sudo's capabilities, then look for other methods.
 
Old 11-19-2003, 06:37 AM   #8
FatSteve
LQ Newbie
 
Registered: Nov 2003
Distribution: Red Hat 9
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks everyone, lets just say I drastically underestimated the capabilities of sudo

Steve
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Giving individual users editing rights for websites using Apache Server aakash Linux - General 1 05-26-2005 01:41 PM
Giving Kppp rights to other users n groups xxx_anuj_xxx Linux - Security 5 12-22-2004 06:12 PM
Local Admin Rights with Samba Jagzseven Linux - Networking 3 12-16-2003 09:35 PM
Local Admin Rights on XP mankey Linux - Networking 4 08-25-2003 10:04 PM
Giving a user rights Help!!! Sabeer Linux - Newbie 1 08-25-2003 12:02 AM


All times are GMT -5. The time now is 02:38 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration