Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I don't understand what you're asking; anything can be changed if it is
accessible. The systems serial may be changeable if one can swap the
motherboard ...
jefro, I agree with you but i want to restrict changing hostnames from root as some of the users/team require the root access (admin root access) to perform there task. Can you elaborate more or give example to encrypt the folder or create security keys ?
It would be helpful if you provide a bit more background information on what exactly you want to do. Root is 'all powerful' and has access to everything on a system. So please clarify what you want to obtain since prohibiting root from accessing the sudoers file will not be possible in my opinion. You could limit access using chattr but you indicated that's not what you want.
Actually there are 3000+ users in my network & some users have the admin access to perform there task so to secure systems in the network were they could not modify hostname & sudoers files.
Looking at it from that point of view I'd enforce using a configuration controlled by you for sudoers by setting it up with Puppet for example. But again, if they have the admin password they could easily disable the puppet client so you'd have to respawn it which could also be 'edited' by the root user. I strongly suggest you to limit root access to the minimal number of people possible and configure sudo to give extra permissions to additional users but limiting them to the strict minimal commands necessary. I've recently encountered the same problem (with less users) and have it set up with puppet and limiting access with sudo to a limited set of commands. Permissions to files I've set with ACLs. In my situation there are only three guys who have the root password and about 25 who use the same environments with sudo where needed without any problems.
Thanks for the info.. actually I am using puppet & want to restrict the root user for so that the hostname cannot be changed temporary or permanently because as doing so puppet will pick the modified hostname & due the same the certs will get signed.
Does that mean that you're automatically signing the certs? In this case you could deactivate autosigning to avoid that problem OR, more adequate, if you have that possibility, would be to force based on domain name. This would force the same sudoers configuration on whatever host in that domain and you can to keep the autosigning active. But you'd still stay in the same vicious circle, they could disable the puppet service. Best solution in my opinion is to change the admin password and limit them by configuring sudo more specific to their needs.
I never tried it but it may be possible to encrypt that file or folder so that only the OS can open it or some authenticated user. This still goes back to you gave idiots too much power. Who would change a hostname? For what reason? I'd suspect foul play.
I never tried it but it may be possible to encrypt that file or folder so that only the OS can open it or some authenticated user. This still goes back to you gave idiots too much power. Who would change a hostname? For what reason? I'd suspect foul play.
You can't encrypt /etc ... no one would be able to use the machine at all.
Actually there are 3000+ users in my network & some users have the admin access to perform there task so to secure systems in the network were they could not modify hostname & sudoers files.
The answer to this is not how to restrict access to the sudoers file, but
to modify the sudoers file so these users w/ elevated privilege levels
can do only a few well defined things; sudo - and sudo su <-> shouldn't
be among them; EVER!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
