Backdoor to server?
Hi there
I have a Debian VPS webserver running a forum, and I'm currently looking for a secondary tech-admin. Since they'll have to have the root password for the server, I'm looking for a way to create a backdoor account that I can use to get in if they divulge the root password, or go crazy and lock me out. Is there a way to do it? Thanks! Joe. |
Do you have physical access to the server?
|
No, it's a VPS on another continent :p
|
Work out what it is you want them to be able to do and then set that up with the sudo command. As time goes on you can add more commands with root privileges as needs be.
Sudo also gives you the added bonus of logging all the privileged commands that get executed. Personally if you can't 100% trust someone don't give them root access. |
catkin asks the right 1st question.
The only thing that trumps root is physical access. You want an acct. that can do everything root can do, except change the root password. I think your choices are:
Edit: redgoblin posted while I was still writing (& Hangdog42 while I am editing), sorry for any duplication. I like the idea of gradual additions to their privileges. "Limiting their ability to do damage is much more productive than trying to clean up a mess afterward." is especially good advice. I have a part in the group administration of several servers & am very interested in this. I would welcome posts of specific methods. |
Quote:
This is the way you handle the situation. The sudo command was designed to do exactly what you need. Looking for a backdoor to install probably wont' work since if they have the expertise to lock you out, they probably have the expertise to make sure that you can't use any back door. For example, what if they raised a firewall that only allowed SSH access from certain IP addresses? Or set up SSH to recognize only their account? Limiting their ability to do damage is much more productive than trying to clean up a mess afterward. |
root access
It is not just a matter of trust: I am reluctant to give ANYONE the root account. I refuse to use it myself when anything else will serve. I log in as myself and use SUDO for logged and controlled access escalation.
I also use other tools so that I can extract a daily log of every command line that was executed at shell that day: but I am a paranoid old coot. |
Thanks, I'll check out using sudo! I'd thought about it, but didn't know it was so flexible. (I assumed it was mainly used to stop the bruteforcing of the root account over SSH and the like). All they'll need to be able to do is edit forum configuration files and install styles/modifications, so I guess I can just let them use root privileges in /var/www. Can I do that using sudo?
|
Quote:
Think VERY hard about the commands, though. It might seem like a good idea to permit "mkdir" or "cp" commands...but then there's nothing stopping them from running "sudo cp edited-shadow-file /etc/shadow", and removing the root password, for example. The fewer commands allow, the better. And if THEY have access to the box...what will stop them from booting from CD-ROM into single-user mode, and changing the password? |
Quote:
Quote:
Who, user & group, owns /var/www on your system? Show us the result of: Code:
ls -dl /var/www From /etc/passwd on my MEPIS desktop box: Code:
www-data:x:<N>:<M>:www-data:/var/www:/bin/sh Quote:
|
Quote:
1. Ability to change edited file/write to any file, not just the one specified on the command line 2. shell escape (i.e from vi which is run as root) you can execute any command of course as root too. Second problem can be dealt with by using noexec option (or something like this) in the sudoers file First one (and second too) by using sudoedit. While allowing to edit only one file doable it's not that obvious. |
Quote:
|
Quote:
No attack intended. Valery. |
Quote:
Quote:
I've tried many a time to change ownership of /var/www to a different user, but never managed it. I need to spend more time on it, really. |
Quote:
Quote:
Code:
ls -dl /var/www |
All times are GMT -5. The time now is 06:26 AM. |