LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-25-2012, 07:44 AM   #1
FNC
Member
 
Registered: Feb 2001
Location: South Africa
Distribution: Fedora, Mandriva, PCLOS, SUSE - anything a can get my hands on
Posts: 140

Rep: Reputation: 15
Question Admin Users


Hi Everyone,

I was wondering if anyone knows how to solve this problem.

I have a user that will create new users on a server. Lets call him "userx".

I have added him to the admin group.
Code:
admin:x:546:me,userx
Then I added the following to /etc/sudoers:
Code:
%admin	ALL=/usr/sbin/useradd,/usr/bin/passwd,/usr/sbin/userdel,!/usr/bin/passwd root
As you can see I want userx to be able to add users, change their passwords and remove users, but I do not want userx to change the root password which he does not know.

However this does not prevent userx from doing something like:

Code:
sudo passwd -l root
or
Code:
sudo userdel root
So how would I configure userx so that he can administer users on the server while still preventing him from actually becoming root or breaking something?
What is best practice?
 
Old 04-25-2012, 09:07 AM   #2
amani
Senior Member
 
Registered: Jul 2006
Location: Kolkata, India
Distribution: Debian 64-bit GNU/Linux, Kubuntu64, Fedora QA, Slackware,
Posts: 2,766

Rep: Reputation: Disabled
http://www.gratisoft.us/sudo/sudoers.man.html

commands can be restricted.
 
Old 04-25-2012, 09:10 AM   #3
FNC
Member
 
Registered: Feb 2001
Location: South Africa
Distribution: Fedora, Mandriva, PCLOS, SUSE - anything a can get my hands on
Posts: 140

Original Poster
Rep: Reputation: 15
No I get that.
My question is, is there a easier way to do this than adding every single possible option that can be used with userdel, passwd related to root in sudoers.
 
Old 04-25-2012, 09:25 AM   #4
amani
Senior Member
 
Registered: Jul 2006
Location: Kolkata, India
Distribution: Debian 64-bit GNU/Linux, Kubuntu64, Fedora QA, Slackware,
Posts: 2,766

Rep: Reputation: Disabled
How will you write "If anything relating to root is to be changed, then ask for root passwd"?
 
Old 04-25-2012, 09:47 AM   #5
FNC
Member
 
Registered: Feb 2001
Location: South Africa
Distribution: Fedora, Mandriva, PCLOS, SUSE - anything a can get my hands on
Posts: 140

Original Poster
Rep: Reputation: 15
If you look more closely to my original post:

Quote:
Originally Posted by FNC View Post

Then I added the following to /etc/sudoers:
Code:
%admin	ALL=/usr/sbin/useradd,/usr/bin/passwd,/usr/sbin/userdel,!/usr/bin/passwd root
As you can see I want userx to be able to add users, change their passwords and remove users, but I do not want userx to change the root password which he does not know.
You can see I am not allowing "/usr/bin/passwd root" to be executed like I mentioned.

Therefore I can also add
Code:
!/usr/bin/passwd me
and
Code:
!/usr/bin/passwd -l me
and
Code:
!/usr/sbin/userdel root
and
Code:
!/usr/sbin/userdel -r root
until I have included

Quote:
Originally Posted by FNC View Post

every single possible option that can be used with userdel, passwd related to root in sudoers.
This might take a long time and some effort, but probably not as long as trying to explain it on this forum...
 
Old 04-26-2012, 08:45 AM   #6
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 15.2
Posts: 1,339

Rep: Reputation: 260Reputation: 260Reputation: 260
Near the end of the manpage is an example explaining how to use wildcards:
Code:
%admin	ALL=/usr/sbin/useradd,/usr/bin/passwd,/usr/sbin/userdel,!/usr/bin/passwd *root*
and similar for the other commands.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba - admin users only?!?!?! RBIaIS Linux - Server 7 01-06-2008 01:54 AM
How do you add users with Admin Permissions? rtoney5 DamnSmallLinux 2 11-26-2007 02:09 AM
Users admin problem mihalisla Linux - Newbie 2 09-24-2006 07:26 PM
Samba - How can admin users see all [homes]? essdeeay Linux - General 0 04-02-2006 05:56 PM
Best way to remote admin: users? TruckStuff Linux - Security 6 06-01-2002 09:07 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration