Hi there

I have a Debian VPS webserver running a forum, and I'm currently looking for a secondary tech-admin. Since they'll have to have the root password for the server, I'm looking for a way to create a backdoor account that I can use to get in if they divulge the root password, or go crazy and lock me out.

Is there a way to do it?

Thanks!
Joe.

Do you have physical access to the server?

1 members found this post helpful.

No, it's a VPS on another continent

Work out what it is you want them to be able to do and then set that up with the sudo command. As time goes on you can add more commands with root privileges as needs be.

Sudo also gives you the added bonus of logging all the privileged commands that get executed.

Personally if you can't 100% trust someone don't give them root access.

3 members found this post helpful.

catkin asks the right 1st question.

The only thing that trumps root is physical access. You want an acct. that can do everything root can do, except change the root password. I think your choices are:

1. trust your appointee(s),
2. learn more about the original intent of sudo & the sudoers file than I care to, or
3. be prepared to pay -- possibly through the nose -- your hosting service for on-site maintenance in the event of disaster.

Edit: redgoblin posted while I was still writing (& Hangdog42 while I am editing), sorry for any duplication.

I like the idea of gradual additions to their privileges.

"Limiting their ability to do damage is much more productive than trying to clean up a mess afterward." is especially good advice.

I have a part in the group administration of several servers & am very interested in this. I would welcome posts of specific methods.

This is the way you handle the situation. The sudo command was designed to do exactly what you need. Looking for a backdoor to install probably wont' work since if they have the expertise to lock you out, they probably have the expertise to make sure that you can't use any back door. For example, what if they raised a firewall that only allowed SSH access from certain IP addresses? Or set up SSH to recognize only their account?

Limiting their ability to do damage is much more productive than trying to clean up a mess afterward.

It is not just a matter of trust: I am reluctant to give ANYONE the root account. I refuse to use it myself when anything else will serve. I log in as myself and use SUDO for logged and controlled access escalation.

I also use other tools so that I can extract a daily log of every command line that was executed at shell that day: but I am a paranoid old coot.

Thanks, I'll check out using sudo! I'd thought about it, but didn't know it was so flexible. (I assumed it was mainly used to stop the bruteforcing of the root account over SSH and the like). All they'll need to be able to do is edit forum configuration files and install styles/modifications, so I guess I can just let them use root privileges in /var/www. Can I do that using sudo?

Easily. You can even get VERY granular, and permit them to run only certain commands. For example, you can deny "vi /etc/shadow", but allow "vi /var/www/form.html".

Think VERY hard about the commands, though. It might seem like a good idea to permit "mkdir" or "cp" commands...but then there's nothing stopping them from running "sudo cp edited-shadow-file /etc/shadow", and removing the root password, for example. The fewer commands allow, the better. And if THEY have access to the box...what will stop them from booting from CD-ROM into single-user mode, and changing the password?

Is this by any chance a result of experience w/ *buntu?

Why root? -- Look at the -u option.

Who, user & group, owns /var/www on your system? Show us the result of:
You want to find the simplest, lowest privilege way of accomplishing your goal. It may be as easy as letting these webserver maintainers sudo to become the system account which controls /var/www/.

From /etc/passwd on my MEPIS desktop box:
Now there is no /var/www/ on my system, so I can't show its ownership; but there is a "www-data" group as well as user, I suspect the ownership of /var/www/ would be root:www-data.


It appears so.

Not so easily. vi (from the sudo point of view) has two problems:
1. Ability to change edited file/write to any file, not just the one specified on the command line
2. shell escape (i.e from vi which is run as root) you can execute any command of course as root too.

Second problem can be dealt with by using noexec option (or something like this) in the sudoers file
First one (and second too) by using sudoedit.

While allowing to edit only one file doable it's not that obvious.

Right...it was only an example, and was also followed up with "Think VERY hard about the commands, though.".

I just wanted to get more details to your "Think VERY hard about the commands, though." part.
No attack intended.

Valery.

No way anyone can access the server, it's virtualised and in Egypt XD

Funnily enough, yes XD I use it on any box that is used by someone other than me.

I've tried many a time to change ownership of /var/www to a different user, but never managed it. I need to spend more time on it, really.

What does "XD" mean in this context?

Never mind changing it for now, let's see if we can work around it -- please post the result of: