LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-15-2012, 12:53 PM   #1
eyanu
Member
 
Registered: Jul 2012
Location: kampala,Uganda
Distribution: backtrack
Posts: 87

Rep: Reputation: Disabled
add root user with restricted access


Hello, i have created a user on my linux box, with SSH access and added him to the sudoers file, i would like him to be able to install normally but his access be limited by the files he sees.
Adding him to the sudoers file gives him full access to the system.
This user should not have full access to the whole system i just want him to be able to install some packages, if you have any idea on how to go about this, please help me out.
 
Old 10-15-2012, 01:00 PM   #2
Habitual
LQ 5k Club
 
Registered: Jan 2011
Location: Nowhere near you, thank God.
Distribution: OSX Sierra
Posts: 8,591
Blog Entries: 15

Rep: Reputation: Disabled
http://stackoverflow.com/questions/5...sing-wireshark for an example.
 
Old 10-15-2012, 01:05 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Quote:
Originally Posted by eyanu View Post
Adding him to the sudoers file gives him full access to the system.
Confine the user to only run allowed commands. If you follow the link Habitual posted please avoid using "NOPASSWD" unless you are absolutely sure you can trust this user (default answer: no).
 
1 members found this post helpful.
Old 10-15-2012, 01:08 PM   #4
eyanu
Member
 
Registered: Jul 2012
Location: kampala,Uganda
Distribution: backtrack
Posts: 87

Original Poster
Rep: Reputation: Disabled
Thanks guys for quick response, this is what i've so far to let some one install something
Quote:
echo 'ffeza ALL=(ALL) : /usr/bin/yum' >> /etc/sudoers
please tell me if its correct
 
Old 10-15-2012, 01:10 PM   #5
eyanu
Member
 
Registered: Jul 2012
Location: kampala,Uganda
Distribution: backtrack
Posts: 87

Original Poster
Rep: Reputation: Disabled
And another thing i've given him "/bin/chroot"
 
Old 10-15-2012, 01:14 PM   #6
shivaa
Senior Member
 
Registered: Jul 2012
Location: Grenoble, Fr.
Distribution: Sun Solaris, RHEL, Ubuntu, Debian 6.0
Posts: 1,800
Blog Entries: 4

Rep: Reputation: 286Reputation: 286Reputation: 286
Walter, did you add followiing line in sudoers for that user?
<username> ALL=(ALL) ALL
It will give that user full super-user privilages. So just remove this line, and add followig line, to give right for package installation only:
<username> ALL=/usr/bin/apt-get
Then user <username> will be able to invoke this command only with super-user privilages, like:
sudo apt-get
Enter sudo password:


So try it once, hopw this will help you!

Last edited by shivaa; 10-15-2012 at 01:15 PM.
 
1 members found this post helpful.
Old 10-15-2012, 01:15 PM   #7
eyanu
Member
 
Registered: Jul 2012
Location: kampala,Uganda
Distribution: backtrack
Posts: 87

Original Poster
Rep: Reputation: Disabled
Thanks very much meninvenus let me try that and will get back to you.
 
Old 10-15-2012, 01:45 PM   #8
eyanu
Member
 
Registered: Jul 2012
Location: kampala,Uganda
Distribution: backtrack
Posts: 87

Original Poster
Rep: Reputation: Disabled
Is there a way of setting that user to only install packages and not remove them...
 
Old 10-15-2012, 02:00 PM   #9
eyanu
Member
 
Registered: Jul 2012
Location: kampala,Uganda
Distribution: backtrack
Posts: 87

Original Poster
Rep: Reputation: Disabled
Ok guys that worked out fine, but now how do i restrict his movement, i want to confine him to his directory let's say /var/www/vhosts/domainname.com
 
Old 10-15-2012, 02:07 PM   #10
shivaa
Senior Member
 
Registered: Jul 2012
Location: Grenoble, Fr.
Distribution: Sun Solaris, RHEL, Ubuntu, Debian 6.0
Posts: 1,800
Blog Entries: 4

Rep: Reputation: 286Reputation: 286Reputation: 286
Quote:
Originally Posted by eyanu View Post
Is there a way of setting that user to only install packages and not remove them...
Though the same command is used to install as well as remove packeges, so as far as I understand, if a user has add privilages then he can remove as well.

Quote:
Originally Posted by eyanu View Post
Ok guys that worked out fine, but now how do i restrict his movement, i want to confine him to his directory let's say /var/www/vhosts/domainname.com
Confine means... do you want user to access /var/www/vhosts/domainname.com only? Apparently, it can be done by setting appropriate permissions. But it will not be so useful. So simply remove user from all important groups (check user groups using "id -a <username>" command) and set only read permission on crictical files/directories and restrict "write" permission for file owner only.

Last edited by shivaa; 10-15-2012 at 02:08 PM.
 
Old 10-15-2012, 02:11 PM   #11
eyanu
Member
 
Registered: Jul 2012
Location: kampala,Uganda
Distribution: backtrack
Posts: 87

Original Poster
Rep: Reputation: Disabled
id -a ffeza
Quote:
uid=10005(ffeza) gid=505(psacln) groups=505(psacln)
That's a plesk server, i don't want to mess up removing permissions from him as that might affect his access to his website and others like ftp.
 
Old 10-15-2012, 02:16 PM   #12
eyanu
Member
 
Registered: Jul 2012
Location: kampala,Uganda
Distribution: backtrack
Posts: 87

Original Poster
Rep: Reputation: Disabled
and the problem if i apply chroot on him, i get:
Quote:
bash-3.2$ yum
bash: yum: command not found
bash-3.2$ sudo
bash: sudo: command not found
So i have given him full bash for now.
 
Old 10-15-2012, 02:37 PM   #13
shivaa
Senior Member
 
Registered: Jul 2012
Location: Grenoble, Fr.
Distribution: Sun Solaris, RHEL, Ubuntu, Debian 6.0
Posts: 1,800
Blog Entries: 4

Rep: Reputation: 286Reputation: 286Reputation: 286
OK. Let's not make it complicated, but keep it simple. My practical experience says that if you want to restrict a user from accessing your important data in Unix environment, then I am repeating, that remove user from important groups, so user cannot alter your important file/directories. I don't think that there's any need of using chroot, but on the other hand, you can use "setgid" or "sticky bit" permissions, which I have been using for years for protecting user's critical project data from non-group members and others. In your case, both "setgid" and "sticky-bit" could be magical. So why don't you once try it...

Last edited by shivaa; 10-15-2012 at 02:40 PM.
 
Old 10-15-2012, 02:40 PM   #14
eyanu
Member
 
Registered: Jul 2012
Location: kampala,Uganda
Distribution: backtrack
Posts: 87

Original Poster
Rep: Reputation: Disabled
Yeah i've actually been trying them out and though user can see other files he cannot delete them. tnx alot...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
User with Root Access but restricted eyanu Linux - Security 1 10-15-2012 01:00 PM
How to add user with root privileges and SSH access filmon Linux - Newbie 6 11-02-2010 01:35 PM
Files restricted to only root user Peter_APIIT Mandriva 18 03-25-2007 04:03 PM
How to add user with root privileges and SSH access adamrad Linux - General 8 10-31-2006 03:53 PM
SSH user IP restricted access??? ifm Linux - Security 3 07-21-2002 12:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 09:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration