I created 2nd root (root2) by running useradd -o -u 0 root2
is it possible to deny root2 to change password of original root?
please advise

thanks

No. You're off the map with root2.
A better option would be to userdel root2 and if you need a second 'root' make him a type of superuser. If, for instance, you had him alone as part of group root, you could adjust group permissions for things root owns so that the superuser can use them. Look at Kevux for a good example of how that is done. E£verything seems to be controlled by group stuff
http://kevux.org

If you only need other user to do a few cmds, look into sudo
http://linux.die.net/man/8/sudo

Actually, I want to give someone to remote my server for updating his application and also some of his MySQL databases and tables but I don't want to give him root's access rights.

any idea?

please advise

thanks

if you dont want to give all the privileges,then you should go for sudo.
Here you can give the permission what you want to give .

configuration file is /etc/sudoers

#visudo

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

test ALL = !NETWORKING


but user test still able to run /sbin/route

what I missed?

In case you weren't aware, MySQL users don't have anything to do with the system users. It is easy to give him a MySQL user that is completely restricted to the database he is using.


Can user test still run route after a fresh login? Are you editing using visudo? That will give you clues if syntax is wrong.

Also, I would suggest using sudo to allow access to specific commands rather than deny them access. For example, since you haven't denied access to visudo, it is possible that test could use it to edit the sudoers file and give themselves access to the NETWORK commands.

it does not warn me an error .

Can user test still run route after a fresh login? yes, and it does not work
Are you editing using visudo? yes

OK, this is down to something trivial. I put your configuration into my sudoers file and it works, so there are no glaring errors. Maybe something in the spacing or a typo you missed? Here is what mine looks like:

When I try to use sudo with any of those commands, it asks for the password and then denies access to the command.

thanks, but how to only allow user to look into some folders only?

for the mysql part, look at the mysql grant statement

The below allows 'youruser' when connected from the given ip-address '192.168.1.16 to select and insert data from/into all tables in the database 'yourdatabase'.

As the user has local access in your case, you can change the ip-address to 'localhost'.

I assume you can work it out from here.

You're going to have to explain what you're after a bit more fully. Folder access is usually handled by permissions, so a user only has access to folders they have permission to see. If you want to restrict users to specific folders you have to make sure that they are part of a group that can't see folders you don't want them in, and that the restricted folders aren't world readable. By the way, if this is related to the sudo part of the question, this is also an excellent example of why you want to grant access to specific commands rather than denying access to some. A user with the kind of sudo restrictions discussed in this thread could easily get around any folder permission restrictions.

If you'll post some details about what you want, I'm sure we'll come up with a more specific answer.