LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-18-2004, 12:22 PM   #1
muman
LQ Newbie
 
Registered: Sep 2004
Posts: 11

Rep: Reputation: 0
su and sudo


Not sure if this is possible, but looking for ideas. Have a few admins (who have ssh), and quite a few user logins for who all ssh is disabled (via /sbin/nlogin in /etc/passwd), but they can ftp in fine and change configs, upload files etc.

Each user has processes run on behalf of them by us. I would like these to run as their own username instead of as an admin, but allow admins to kill the users processes, restart, edit configs etc, which means becoming that user.

In other words what I'd like is a kind of permanent su -lm username (not for root, just so other admins can log in as other users without needing the password, as storing every password in one place to remember seems ineffecient and insecure as well), but using the sudoers type config.

So basically is it possible to login as a user who has ssh disabled without needing their password? Either via sudo (longer than 1 command) or su until you exit their login?
 
Old 11-18-2004, 01:29 PM   #2
bignerd
Member
 
Registered: Nov 2004
Distribution: FC1, Gentoo, Mdk 8.1, RH7-8-9, Knoppix, Zuarus rom 3.13
Posts: 98

Rep: Reputation: 15
From: http://www.siliconvalleyccie.com/linux-hn/sudo.htm

Granting Access To Specific Files As Another User

The "sudo -u" allows you to execute a command as if you were another user, but first you have to be granted this privilege in the sudoers file.

This feature can be convenient for programmers who sometimes need to kill processes related to projects they are working on. For example, programmer "peter" is on the team developing a financial package that runs a program called "monthend" as user "accounts". From time to time the application fails, requiring "peter" to stop it with the /bin/kill, /usr/bin/kill or /usr/bin/pkill commands but only as user "accounts". The sudoers entry would look like this:


peter ALL=(accounts) /bin/kill, /usr/bin/kill /usr/bin/pkill

User "peter" would now be allowed to stop the "monthend" process with this command:

[peter@bigboy peter]# sudo -u accounts pkill monthend
 
Old 11-18-2004, 05:13 PM   #3
muman
LQ Newbie
 
Registered: Sep 2004
Posts: 11

Original Poster
Rep: Reputation: 0
Hiya, and thanks bignerd. That was pretty much the state of play I had got to. I've got it so we can use sudo -u xxx pkill process for example as you say with no pass, the main thing I was trying to figure was if there's a time when you know you have a lot of work to do for one persons account for example, if there was a permanent way to be "sudo'd" in to their account (until finished and log out), so every command is like being su'd in, so u dont need to type in sudo -u xxx before absolutely every command (thats the main complaint from admins about using it, they don't want to keep typing that in each time), and can just kill the process, edit configs etc, every command the user has access to, you do, and only have access to that user, then log out when finished with an exit type funtion. Basically a kind of hybrid between su -u and sudo.

Basically su would work fine if the password could be bypassed like in the sudoers file. So admin x can su to any group he has control of without needing their password.

Hope that makes sense? Thanks for the reply.
 
Old 11-19-2004, 09:38 AM   #4
bignerd
Member
 
Registered: Nov 2004
Distribution: FC1, Gentoo, Mdk 8.1, RH7-8-9, Knoppix, Zuarus rom 3.13
Posts: 98

Rep: Reputation: 15
I don't know of a way without allowing your admins to have root access.

<admin1@localhost>$ su - root
enter pass for root:

<root@localhost># su - user1
<user1@localhost>$

This may not be what you want but it's the only way I know to su to a user account without having to know the user's password.

Maybe someone else has more experiance in this?

-b
 
Old 12-28-2004, 02:22 PM   #5
crabboy
Moderator
 
Registered: Feb 2001
Location: Atlanta, GA
Distribution: Slackware
Posts: 1,823

Rep: Reputation: 120Reputation: 120
How about:

Code:
jane     ALL     =  (ted)  /usr/bin/bash
All the jane has to do to become ted is: sudo -u ted bash

Jane supplies her password and is su'd to ted.
 
Old 12-29-2004, 11:59 AM   #6
muman
LQ Newbie
 
Registered: Sep 2004
Posts: 11

Original Poster
Rep: Reputation: 0
Hiya, thats getting pretty close thanks!

Main problem I think is it seems to take the original users home dir for bash (i.e janes and not teds). I've also tried doing bash --rc which stops some errors, but can't force it as though it comes from the user themself.

Also tried creating a bash script chuser to take $1 as the argument and sudo -u $1 bash --rc etc, then change dir but doesn't work either permission denied as it still thinks I'm the first user at that point. (also any security issues doing it that way as a script, can't see any?).

Thanks a lot for the suggestion, getting closer, if anyone knows an easy way to force it to use the users homedir/shell/profile as well would just about be there I think.
 
Old 12-29-2004, 01:51 PM   #7
Halz
LQ Newbie
 
Registered: Oct 2001
Posts: 23

Rep: Reputation: 15
To get what you're asking for, 'sudo su <username>'
and then just define which usernames the admin has sudoer access to
 
Old 12-29-2004, 03:10 PM   #8
muman
LQ Newbie
 
Registered: Sep 2004
Posts: 11

Original Poster
Rep: Reputation: 0
Hiya and thanks, that would be the ideal solution, except that shell access is disabled for all those users and only ftp access allowed, so su username would fail on that being disabled. Thanks though, still giving me avenues to think of restricting in different areas to maybe allow that method.

edit: think the sudo -H might help, just trying that as well.

Last edited by muman; 12-29-2004 at 03:30 PM.
 
Old 12-30-2004, 06:36 AM   #9
Cerbere
Member
 
Registered: Dec 2002
Location: California
Distribution: Slackware & LFS
Posts: 799

Rep: Reputation: 33
Rather than disabling all shell access (via /sbin/nlogin in /etc/passwd), how about adding an AllowGroups directive to sshd_config with an 'admin' group and/or a DenyGroups directive for 'users'?

Enjoy!
--- Cerbere
 
Old 12-30-2004, 10:55 AM   #10
muman
LQ Newbie
 
Registered: Sep 2004
Posts: 11

Original Poster
Rep: Reputation: 0
Ahhh I think thats the nail on the head for me , I actually started off messing with sshd_config, but could never get it to stop people, so thought I'd mess about again after you said that, I never realised it only changed after a kill -HUP, I always thought it reread the config for every login. So I think thats sorted, cheers muchly !

So I've actually got two ways now (I think) and created 2 scripts just to make it easier, something like swuser, just in case it helps anyone else searching in future.

#!/bin/bash
sudo su -l $1 using ssh deny some users, prob quicker

#!/bin/bash
sudo -H -u $1 bash using the /sbin/nologin to deny some.


I don't see any security problems doing it that way just so you can quicky type in "swuser jane" as long as they are in the sudoers file unless anyone else can (making sure in sudoers users are specified so you can't sudo su to root), so should be secure.


Just wanted to thank everyone for their help, knew it was possible and not that tricky, but wouldn't have put it all together without your help.

Thanks again, happy new year .

Last edited by muman; 12-30-2004 at 11:05 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Restricting Editing in Sudo (Advanced Sudo Question) LinuxGeek Linux - Software 4 11-04-2006 03:20 PM
About sudo alnreddy Linux - Security 3 06-13-2005 12:53 PM
sudo pk21 Linux - Newbie 7 10-07-2003 07:53 AM
need help with sudo mla Linux - Software 4 10-02-2003 11:05 AM
sudo? nabil Linux - Security 1 02-12-2001 01:18 PM


All times are GMT -5. The time now is 02:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration