LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-23-2005, 08:30 PM   #1
linuxpyro
Member
 
Registered: Apr 2004
Distribution: Gentoo
Posts: 134

Rep: Reputation: 16
Sub-root administrators?


I am running a small server with Gentoo. I will be using this for Web, Mail, POP3, possibly DNS, and MySQL. I am going to be hosting a few domains, two for myself and a couple other for some friends. I will also leave SSH open, for a terminal session as well as secure FTP.

My plan is to create a group for each domain I add (accept of course for my own domains). This way if more than one person happen to be involved in maintaining the site, I can give them each thier own account, as well as Email address, etc. What I want to be able to do is to create a "sub-root" administrative account, one with which I can if necessary have access to all of the files in each particular group yet not be able to, for example, run init scripts or tweak config files. (My reasoning for this is the same as that behind the idea of adding a normal user in addition to root in Linux installs: So I can do day-to-day work with it without accidentally breaking my system. I might also give such an account to another person whom I trust, but otherwise it is mainly for myself.) The best thing I can think of doing in this case is to create an account and add it to each of the groups, but the problem with this would be that it would still be possible to hide things from this admin.

Have some of you guys had a similar situation? I know the whole Linux security setup is not very flexible in terms of this sort of thing, but it seems like there should be a way. Thanks for any input.
 
Old 05-24-2005, 04:18 AM   #2
RandomLinuxNewb
Member
 
Registered: Oct 2003
Distribution: Slackware
Posts: 101

Rep: Reputation: 15
I would look into chroot and lock these "sub-root" accounts into their own folders. Then set every file to be rwx by their user inside the chroot jail.
 
Old 05-24-2005, 02:47 PM   #3
halo14
Senior Member
 
Registered: Apr 2004
Location: Surprise, AZ
Distribution: Debian | CentOS | Arch
Posts: 1,103

Rep: Reputation: 45
It's not as easy as it sounds because when you chroot an SSH connection, then you are not allowing access to /bin /usr and the like, which is where the programs you want to run are. There a some decent tutorials that cover it more in depth, but a quick google search will yield multiple results.
 
Old 05-24-2005, 04:33 PM   #4
linuxpyro
Member
 
Registered: Apr 2004
Distribution: Gentoo
Posts: 134

Original Poster
Rep: Reputation: 16
So basically what you're saying is to chroot each of the sub-root users, give them ownership of everything in the chroot folder, and have all the Webhosting clients also work out of these folders?

I had thought about chrooting each of the Web hosting clients, but not the sub-root admins.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba3 Administrators & users privilege in Windows client machines Bilal84 Linux - Networking 0 10-07-2005 03:58 AM
system administrators xemous General 9 01-05-2005 09:31 PM
System/Network Administrators and Programmers linuxnubx General 4 08-23-2004 05:14 PM
root files: create as root:root or root:wheel? pcass Linux - Security 1 02-07-2004 05:14 PM
Calling all LDAP Administrators...need help tarballed Linux - Software 11 03-18-2003 10:18 PM


All times are GMT -5. The time now is 12:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration