[SOLVED] Best way to allow Service Accounts Root Access to conduct work?
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Best way to allow Service Accounts Root Access to conduct work?
Having an issue with some of the third party software that I need to run on some of the RHEL servers. These accounts need to be able to traverse all directories in order to scan or list files.
However these accounts don't have Root access.
Right now, I'm not sure how to securely do this. Do I want to put these service accounts in the Root group?
I would think, similar for any distribution; if there was software running which chose to view all user directories, then it would need to have permissions to do so. Either all the users are of the same group, and this software also is owned by a user with the same group. And then also the group privileges for all the users would allow read and execute privileges for the group. This is probably less safe than using the root account to perform this, because allowing group access across all the users may be contrary to the security of each user's account.
Unfortunately, the vendors don't seem to care about security and don't like when I say no to their ideas.
One of them wants to give their service account the UID of Zero (0), which won't work since that is reserved already by Root. It might work, however it may cause issues in the future along with auditing issues too.
I think the best is when you add the user to sudoers text file.
True, however we want them run run automatically and not have to enter in a password. We don't want to set the NOPASSWD option for these accounts in case they were compromised.
You can specify the exact command with the exact parameters in sudoers. Then that is all they can run, nothing more. See the book sudo Mastery for a comprehensive explanation of all the options, or "man sudoers" for the reference material regarding configuration.
Just be careful not to miswrite overly clever patterns. The asterisk does more that you think and should usually never be used. In general, I'd say patterns should be avoided. If necessary, wrap everything in a script and then call that script from sudo.
Last edited by Turbocapitalist; 02-05-2018 at 09:57 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.