Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a Debian VPS webserver running a forum, and I'm currently looking for a secondary tech-admin. Since they'll have to have the root password for the server, I'm looking for a way to create a backdoor account that I can use to get in if they divulge the root password, or go crazy and lock me out.
Work out what it is you want them to be able to do and then set that up with the sudo command. As time goes on you can add more commands with root privileges as needs be.
Sudo also gives you the added bonus of logging all the privileged commands that get executed.
Personally if you can't 100% trust someone don't give them root access.
The only thing that trumps root is physical access. You want an acct. that can do everything root can do, except change the root password. I think your choices are:
trust your appointee(s),
learn more about the original intent of sudo & the sudoers file than I care to, or
be prepared to pay -- possibly through the nose -- your hosting service for on-site maintenance in the event of disaster.
Edit: redgoblin posted while I was still writing (& Hangdog42 while I am editing), sorry for any duplication.
I like the idea of gradual additions to their privileges.
"Limiting their ability to do damage is much more productive than trying to clean up a mess afterward." is especially good advice.
I have a part in the group administration of several servers & am very interested in this. I would welcome posts of specific methods.
Work out what it is you want them to be able to do and then set that up with the sudo command. As time goes on you can add more commands with root privileges as needs be.
Sudo also gives you the added bonus of logging all the privileged commands that get executed.
Personally if you can't 100% trust someone don't give them root access.
This is the way you handle the situation. The sudo command was designed to do exactly what you need. Looking for a backdoor to install probably wont' work since if they have the expertise to lock you out, they probably have the expertise to make sure that you can't use any back door. For example, what if they raised a firewall that only allowed SSH access from certain IP addresses? Or set up SSH to recognize only their account?
Limiting their ability to do damage is much more productive than trying to clean up a mess afterward.
It is not just a matter of trust: I am reluctant to give ANYONE the root account. I refuse to use it myself when anything else will serve. I log in as myself and use SUDO for logged and controlled access escalation.
I also use other tools so that I can extract a daily log of every command line that was executed at shell that day: but I am a paranoid old coot.
Thanks, I'll check out using sudo! I'd thought about it, but didn't know it was so flexible. (I assumed it was mainly used to stop the bruteforcing of the root account over SSH and the like). All they'll need to be able to do is edit forum configuration files and install styles/modifications, so I guess I can just let them use root privileges in /var/www. Can I do that using sudo?
Thanks, I'll check out using sudo! I'd thought about it, but didn't know it was so flexible. (I assumed it was mainly used to stop the bruteforcing of the root account over SSH and the like). All they'll need to be able to do is edit forum configuration files and install styles/modifications, so I guess I can just let them use root privileges in /var/www. Can I do that using sudo?
Easily. You can even get VERY granular, and permit them to run only certain commands. For example, you can deny "vi /etc/shadow", but allow "vi /var/www/form.html".
Think VERY hard about the commands, though. It might seem like a good idea to permit "mkdir" or "cp" commands...but then there's nothing stopping them from running "sudo cp edited-shadow-file /etc/shadow", and removing the root password, for example. The fewer commands allow, the better. And if THEY have access to the box...what will stop them from booting from CD-ROM into single-user mode, and changing the password?
Thanks, I'll check out using sudo! I'd thought about it, but didn't know it was so flexible. (I assumed it was mainly used to stop the bruteforcing of the root account over SSH and the like).
Is this by any chance a result of experience w/ *buntu?
Quote:
Originally Posted by Joe of Loath
All they'll need to be able to do is edit forum configuration files and install styles/modifications, so I guess I can just let them use root privileges in /var/www.
Why root? -- Look at the -u option.
Who, user & group, owns /var/www on your system? Show us the result of:
Code:
ls -dl /var/www
You want to find the simplest, lowest privilege way of accomplishing your goal. It may be as easy as letting these webserver maintainers sudo to become the system account which controls /var/www/.
From /etc/passwd on my MEPIS desktop box:
Code:
www-data:x:<N>:<M>:www-data:/var/www:/bin/sh
Now there is no /var/www/ on my system, so I can't show its ownership; but there is a "www-data" group as well as user, I suspect the ownership of /var/www/ would be root:www-data.
Easily. You can even get VERY granular, and permit them to run only certain commands. For example, you can deny "vi /etc/shadow", but allow "vi /var/www/form.html".
Not so easily. vi (from the sudo point of view) has two problems:
1. Ability to change edited file/write to any file, not just the one specified on the command line
2. shell escape (i.e from vi which is run as root) you can execute any command of course as root too.
Second problem can be dealt with by using noexec option (or something like this) in the sudoers file
First one (and second too) by using sudoedit.
While allowing to edit only one file doable it's not that obvious.
Last edited by Valery Reznic; 11-26-2010 at 12:34 PM.
Not so easily. v (from the sudo point of view) has two problems:
1. Ability to change edited file/write to any file, not just the one specified on the command line
2. shell escape (i.e from vi which is run as root) you can execute any command of course as root too.
Second problem can be dealt with by using noexec option (or something like this) in the sudoers file
First one (and second too) by using sudoedit.
While allowing to edit only one file doable it's not that obvious.
Right...it was only an example, and was also followed up with "Think VERY hard about the commands, though.".
Easily. You can even get VERY granular, and permit them to run only certain commands. For example, you can deny "vi /etc/shadow", but allow "vi /var/www/form.html".
Think VERY hard about the commands, though. It might seem like a good idea to permit "mkdir" or "cp" commands...but then there's nothing stopping them from running "sudo cp edited-shadow-file /etc/shadow", and removing the root password, for example. The fewer commands allow, the better. And if THEY have access to the box...what will stop them from booting from CD-ROM into single-user mode, and changing the password?
No way anyone can access the server, it's virtualised and in Egypt XD
Quote:
Originally Posted by archtoad6
Is this by any chance a result of experience w/ *buntu?
Who, user & group, owns /var/www on your system? Show us the result of:
Code:
ls -dl /var/www
You want to find the simplest, lowest privilege way of accomplishing your goal. It may be as easy as letting these webserver maintainers sudo to become the system account which controls /var/www/.
Funnily enough, yes XD I use it on any box that is used by someone other than me.
I've tried many a time to change ownership of /var/www to a different user, but never managed it. I need to spend more time on it, really.
No way anyone can access the server, it's virtualised and in Egypt XD
...
Funnily enough, yes XD I use it on any box that is used by someone other than me.
What does "XD" mean in this context?
Quote:
Originally Posted by Joe of Loath
I've tried many a time to change ownership of /var/www to a different user, but never managed it. I need to spend more time on it, really.
Never mind changing it for now, let's see if we can work around it -- please post the result of:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.