Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-16-2007, 04:51 AM
|
#1
|
LQ Newbie
Registered: Apr 2006
Posts: 3
Rep:
|
How do i give root access to multiple users?
I'm running a Fedora Core 2 on my machine. I want to create 3 other users and i want them to have root privileges. How do i do this?
|
|
|
07-16-2007, 04:54 AM
|
#2
|
Member
Registered: Nov 2004
Location: Venice, Italy
Distribution: Gentoo
Posts: 44
Rep:
|
Just assign them UID 0. You must edit the file /etc/passwd
Typical Format:
username:x:UID:GID:INFO:HOME:SHELL
|
|
|
07-16-2007, 05:10 AM
|
#3
|
LQ Guru
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131
Rep:
|
That's something you really should not be doing. A machine only should have one administrator with root privileges, because if there are others with full permissions to everywhere, the system's security holes (which are never 100% filled) just multiply. The good way to let other users (than root) do some things with root privileges is to use sudo. There's this su command that people can use to become root, but that's just as stupid for several users, because then they would all need to know the root password, and you couldn't tell who of them did something because everybody used the same user. With sudo you can control who can use what command as root, and with or without his/her own password. Ok, it's not wise to let do anything without a password, but that's something you can do so I mentioned it also.
Most modern distributions should have sudo installed. What you do in order to use it, is edit /etc/sudoers and configure the user(s)/group(s) that you want to have access to some command (or all, but again, it's foolish to let access anywhere -> then they could access root account anyway, and your system was unsecure again). In some cases it's also needed for those users to belong to the sudo group to be able to use the command at all. After this is set up, the user can
Code:
sudo /sbin/somecommand_that_only_root_can_run
and they're prompted for their own password, after which the command is run with root privileges (without root login/password needed). When the commanded program exits, no root login is left open (you can specify a time for how long 'sudo' remembers you gave a password to it, so quick subsequent sudo's don't ask for password each time, only after specified time from last command).
Surely the other 3 users don't need root permissions for everything on the system. Better have one root account (for yourself, if you're the admin), and specify what the other 3 need to be able to do with root privileges, and then configure sudo so that they can only access those things. Be careful with sudo, if you let the users run something you didn't expect, they might gain root login anyway for example if you let them run 'su' with sudo, or a shell, they've got root login for everything...
Quote:
Just assign them UID 0. You must edit the file /etc/passwd
|
I don't think you could do that. UIDs are unique, or should be at least, and if the system permitted you to have multiple identical UIDs, you could start waiting for a catastrophe. What if somebody wanted to run something as UID=xxxx, but there were two accounts, with different permissions, that had the same UID? Your system couldn't figure out which one to use. It's just insane. I've never tried what happens if you do manually alter passwd and shadow (they've both checked!), but I don't expect it to be anything nice. Root has UID 0, others don't. Use sudo.
Last edited by b0uncer; 07-16-2007 at 05:12 AM.
|
|
|
07-16-2007, 05:16 AM
|
#4
|
Member
Registered: Nov 2004
Location: Venice, Italy
Distribution: Gentoo
Posts: 44
Rep:
|
b0uncer is right, anyway you could have multiple users with UID 0. The permission are store with UID so all works ok.
|
|
|
07-16-2007, 05:31 AM
|
#5
|
LQ Newbie
Registered: Apr 2006
Posts: 3
Original Poster
Rep:
|
Thanks for the advice. I'll try put your suggestions.
|
|
|
07-16-2007, 03:48 PM
|
#6
|
Member
Registered: Apr 2006
Location: Washington
Distribution: Debian Gnu/Linux Lenny on AMD64x2 (32-bit mode), an AMD Sempron 64 laptop, debian, 32bit
Posts: 101
Rep:
|
I would like to assume you mean all 3 other users should have full root privelidges (like, maybe they're all for you, but for different purposes -- I have one for software development, web browsing, and school, personally).
In this case, you still don't want multiple users with UID 0. This just mucks up and confuses the whole system -- and as soon as you want to take root priveledges away, you have to chown every file that user owns (and it could be hard to locate them -- with that sort of priveledge, they could be anywhere!)
Sudo is still your best option.
There is a line at the bottom of the /etc/sudoers file, something like
root ALL=(ALL) ALL
(i might have the parentheses in the wrong place. I don't edit that file often.)
Just copy this line, and paste it right below changing root to the username.
This will allow that user to run any program as root using his password. I don't at all recommend this if you're actually running a multi-user system (in that case, specify a program.), but if you're just keeping things neat, it's a handy way to allow things to be done.
|
|
|
07-17-2007, 02:13 AM
|
#7
|
LQ Newbie
Registered: Apr 2006
Posts: 3
Original Poster
Rep:
|
Thanks for the replies. The deeper motivation in having 3 users with 3 accounts is to attempt to keep track of what changes each person makes. So is there software that keeps track of changes made on the system? Does linux keep track of changes made?
|
|
|
07-17-2007, 02:23 AM
|
#8
|
LQ Guru
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131
Rep:
|
You can use software like tripwire to hunt down modifications made to the filesystem.
|
|
|
07-17-2007, 02:37 AM
|
#9
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
Quote:
Originally Posted by bakekelwa
Thanks for the replies. The deeper motivation in having 3 users with 3 accounts is to attempt to keep track of what changes each person makes. So is there software that keeps track of changes made on the system? Does linux keep track of changes made?
|
One of the reasons for using sudo is that sudo logs each command. Using su doesn't. It can take work locking sudo down to prevent a user from running "sudo /bin/bash" or other commands that have shell escapes. For example, you wouldn't want these users running "sudo visudo" which would allow them to change the sudoers file. If they use vim as root, you need to only allow vim with the option that doesn't have the "!" shell escape. Sometimes the human relations aspect is more important than the technical security aspect. Only trust root access to users you trust not to do things like alter logs or abuse root access to read other users' files.
|
|
|
07-17-2007, 02:54 AM
|
#10
|
LQ Guru
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131
Rep:
|
Quote:
Only trust root access to users you trust not to do things like alter logs or abuse root access to read other users' files.
|
That's 100% true. Any techinical means can't provide a bullet-proof environment, the first and most important factor to think about in these things is "can I trust her/him". Still it doesn't hurt to use technical means to try and minimize the threat. I might be oldish, but I tend to think that only one person (the administrator of the machine) should have root access, and the rest should not. That's the first step to take, rest is up to the admin.
|
|
|
07-17-2007, 04:37 AM
|
#11
|
Moderator
Registered: Apr 2002
Location: earth
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
|
One very elegant solution is to use sudo to give people access
to "rootshell" and log the activities to a remote host where
the potential root users don't have access to the file system.
As father Stalin put it:"Trust is good. Control is better!" :}
Cheers,
Tink
|
|
|
07-18-2007, 05:26 AM
|
#12
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
Don't you mean "Uncle Joe"?
|
|
|
07-18-2007, 08:01 AM
|
#13
|
Member
Registered: May 2007
Distribution: slackware 11
Posts: 81
Rep:
|
i use this method from LQ user 'odcheck' (thankyou )
http://www.linuxquestions.org/questi...46#post2394646
seems quite a nice and secure way to use sudo to me, but what do other LQ users make of it? are there any possible security issues associated with this method, or is there a way to tighten it up even further? just throwing this out there.
Last edited by mobilemonkey; 07-18-2007 at 08:05 AM.
|
|
|
07-18-2007, 01:14 PM
|
#14
|
Moderator
Registered: Apr 2002
Location: earth
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
|
Quote:
Originally Posted by mobilemonkey
i use this method from LQ user 'odcheck' (thankyou )
http://www.linuxquestions.org/questi...46#post2394646
seems quite a nice and secure way to use sudo to me, but what do other LQ users make of it? are there any possible security issues associated with this method, or is there a way to tighten it up even further? just throwing this out there.
|
Allowing people to halt or reboot the machine is
hardly the equivalent of root access, though. To
do that you'd have to grant them ALL (whether it's
password protected or not doesn't really make much
difference). And once they have that they can
just 'sudo su -' or 'sudo -i', and away they go
with the only (easily manipulated) log being
.bash_history ....
Cheers,
Tink
|
|
|
07-19-2007, 11:14 AM
|
#15
|
Member
Registered: May 2007
Distribution: slackware 11
Posts: 81
Rep:
|
thanks tinkster, as you can guess im a bit of a noob. i need to look into it all a bit more
|
|
|
All times are GMT -5. The time now is 05:22 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|