LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Giving users more rights (Admin) (https://www.linuxquestions.org/questions/linux-security-4/giving-users-more-rights-admin-115957/)

FatSteve 11-14-2003 09:57 AM
Giving users more rights (Admin)
 
I have 2 problems.

1. I need to give 2 users the same rights as root. The policy in place in our company is that you are not meant to use admin accounts. you have to have accounts with those rights so that actions can be accountable to a person.



2. I need to be able to set up a user that can administer other users passwords. I need a user to have persmissions to be able to reset passwords of other users so that a root login is not needed.

Any help would be appreciated, but please bear in mind i am trying not to use the root account or the su command.

TIA

Steve

Blinker_Fluid 11-14-2003 11:04 AM
Just had this thought of a Windows security person trying to say how a *nix system should run...

It sounds like you want 2 accounts that are root equivalents and it also sounds like these 2 accounts will have people logged in so they are basically root all the time. (back to the all users are admins in windows...)
There are other things that I would rather do than have 2 people always running with root privelages... restrict root so users cannot directly log in as root, set up a script to email you every time someone logs in to root, archive/send to another source /var/log/messages, probably more but I'm still waking up. ;)

I worked at one company that had some AIX systems running where occasionally the DBAs would need to run a root command. They used something like sudo except everytime they ran the command an email was sent to the system administrators at the moment it was run. The email contained the command that was issued. This would be my preference instead of having 2 users running with root privs.

cyph3r7 11-14-2003 12:42 PM
It's like any other group permissions. Unfortunately I don't know which group will be able to modify accounts since I lazily added mine to wheel.

Aurix 11-15-2003 08:42 PM
Alternatively, you should look into the sudo command.

sudo allows you to allow users to run particular commands as other users (such as root). Any usage of sudo is logged, and seems to suit what you need.

Cheers.

FatSteve 11-16-2003 08:03 AM
Thanks for the help I think the sudo command will work for the password admins.

I am not sure if it would for the administrators though (yes you are getting visions of Windows). The accounts with root privileges would only be used when it is needed to login and perform an admin task (Adding printers etc) so the 2 admins would not be always logged on with root privileges.

It is basically down to the auditors in the company wanting accountability for actions. If say I logged on as root and removed a file there is no way of telling that it was me that logged on and did it.

From a windows point of view the procedure is that th admin password is locked in the safe and noone knows it with individual admin accounts being set up with a unique password for each user. If a login as root is needed then the pasword would beknown to more than one person.

Cheers

Steve

Aurix 11-16-2003 04:00 PM
Gday Steve,

I don't think you fully understand how sudo works.

Sudo will provide accountability, as it logs (in /var/log/messages in most cases) all use of the command, and what command which user executed.

Read up on sudo, it can do what you need =)


Cheers mate.

unSpawn 11-17-2003 09:29 AM
Try not to see "root" as an account but as a set of capabilities. You know those capabilities are most powerful, irreversible when applied to accounts (and coveted by anyone who doesn't have them).
Allowing root privileges to be handled by more than one account multiplies risks of handling root's tasks. It isn't part of "best practices", regardless of what your companies policies say. Almost any solution would be qualitatively better than allowing this to happen. Sudo should not be an alternative but your first choice.

BTW, do I get it right the company doesn't trust (skilled)? admins?


Sudo will provide accountability, as it logs (in /var/log/messages in most cases) all use of the command, and what command which user executed.
Running sudo paired with some auditing tools may help you make a case for Sudo. For commands that handle like editing device configuration you should write a wrapper or a front-end to validate input and config consistency, patch the kernel with LIDS or Grsecurity. This will allow you to ACL the system and processes to the point where even root can be denied access to Do Stuff and adds auditing capabilities (in the case of Grsecurity). Next set up an LD_SO_PRELOAD environment which loads libraries that log deletions, or use syscalltracker.
Top if of with setting the immutable bit on system binaries and configs to protect against "casual" deletion, harden the shell's configs, add filesystem integrity checking to keep a tab on changes and add remote logging. I use a custom vi wrapper to edit configs. It respects extended file attributes (immutable, undelete etc), allows me to do a rollback and provides me editing history.


What we try to say is, exhaust Sudo's capabilities, then look for other methods.

FatSteve 11-19-2003 06:37 AM
Thanks everyone, lets just say I drastically underestimated the capabilities of sudo

Steve


All times are GMT -5. The time now is 12:18 AM.