LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 02-19-2010, 07:26 AM   #1
Alex_Dc
Member
 
Registered: Oct 2009
Posts: 104

Rep: Reputation: 22
sudo non-user/non-root password


Stumped on this one. I'm trying to set up limited sudo authority on a desktop with some sensitive user data, and as an extra precaution I wanted to configure sudo to use a password other than the user's or the root's. I'm not sure how to do this. From the manual, we have a few options, such as "runaspw" or "targetpw", but none seem quite what I'm looking for.

For instance, "runaspw" could be used if I created a user for nothing other than sudo(ing) purposes, but it requires you set "runas_default", which means that said user would have to have authority to execute said commands in the first place. This is workable, but seems like a lot of extra configuration for each specific command that I want to run, as well as creating some issues with simply commands such as "shutdown" or "reboot". Also, "targetpw" can be used in conjunction with a sudo(ing)-only user if I set an alias, but, again, this isn't quite what I am looking for.

Ultimately, what I am really concerned about in this situation are keystroke loggers, so I would prefer to avoid repeated entering the user or root password when performing administrative tasks. Also, I would prefer not having to create a sudo(ing)-only user as mentioned above to prevent a comprimised password resulting in an attacker being able to log into my system.

Any ideas?
 
Old 02-19-2010, 07:36 AM   #2
cantab
Member
 
Registered: Oct 2009
Location: England
Distribution: *buntu, Vector
Posts: 499

Rep: Reputation: 102Reputation: 102
Most of what you say is beyond me, but you can make a user account that cannot login by setting their login shell appropriately. Some distros provide /sbin/nologin (like RHEL) which spits out a message saying login isn't allowed. Others tend to use /bin/false.
Usually that's used for things like samba-only users, but it might work for what you want to do.

Bear in mind you will need to make additional configuration to prevent them gaining (non-shell) access by ssh, as is discussed here: http://www.semicomplete.com/articles/ssh-security/
 
Old 02-19-2010, 07:46 AM   #3
Alex_Dc
Member
 
Registered: Oct 2009
Posts: 104

Original Poster
Rep: Reputation: 22
Quote:
Originally Posted by cantab View Post
Most of what you say is beyond me, but you can make a user account that cannot login by setting their login shell appropriately. Some distros provide /sbin/nologin (like RHEL) which spits out a message saying login isn't allowed. Others tend to use /bin/false.
Usually that's used for things like samba-only users, but it might work for what you want to do.

Bear in mind you will need to make additional configuration to prevent them gaining (non-shell) access by ssh, as is discussed here: http://www.semicomplete.com/articles/ssh-security/
That was something I was considering, and might be the best solution. But as you said, there is the ssh issue. And there are god-knows what other exploits I'm not even aware of. But thank you for the response, this might be what I end up implementing if there are no better options.
 
Old 02-19-2010, 07:28 PM   #4
Alex_Dc
Member
 
Registered: Oct 2009
Posts: 104

Original Poster
Rep: Reputation: 22
Nevermind, the "targetpw" with sudo -u idea won't work. I don't know what I was thinking, but the -u option means run as user, which puts be back in the same place of setting some complex user permissions.

No other ideas on this one? Along with some restrictions on what commmands can be used, this seems like a simple way to greatly increase the security of sudo.

Maybe I should Mr. Miller and see if he would consider adding this feature.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
my sudo password is not the root password newbiesforever Linux - General 7 01-02-2010 10:59 PM
sudo - root password not working Valkyrie_of_valhalla Linux - Software 3 03-11-2007 02:01 PM
SuSE93 Root password rejected from normal user mode (No Sudo, No YaST) Peacepunk Suse/Novell 2 02-11-2007 07:34 PM
Running a script as root with sudo without entering the user password kloss Linux - General 8 10-10-2005 12:39 PM
root password doesn't work when I use sudo ... bucovaina78 Linux - Security 5 11-10-2004 03:50 PM


All times are GMT -5. The time now is 08:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration