Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In a network where multiple people in multiple countries need root access to multiple machines, what is the best way to handle policy governing this?
My main concern is that since I cannot control who a user in another country who may decide to give out a root password to all his buddies, or perhaps if he quits, he'll do so. etc, etc.
Bottom line is, when so many entities need root, what would be the best way to control security?
My first thought was to use sudo. You give user accounts the ability to do things with root powers without them actually becoming root. That way, you don't need to give out the root password and you can see which users carried out which tasks.
So all users who 'sudo' to root will be logged (I assume the logfile will be a bash history file stored on the real root directory somewhere?) Because I'll eventually need to keep tabs on these rascals to ensure that they are not doing something they should not be.
Any other measure you can recommend?
How about social policy? Aside from giving the programmers a directive to change thier password ever few days to something like "IOsaq92rk0e%^$sw232pwerk" , any other suggestions?
Originally posted by Metablade Because I'll eventually need to keep tabs on these rascals to ensure that they are not doing something they should not be.
With sudo, you can specify what command can a specific user run, so they can't even do what they are not supposed to do. For example, you can grant a user only with the privilege to reboot/shutdown the machine, and to edit certain files.
And beside sudo, I think there is another system called SELinux(check Fedora Core or Redhat website for this) which can also set privileges to files, etc to a greater extent. I don't use this since it is more complicated than sudo...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.