LinuxQuestions.org - Need to protect files from people with su ability

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Need to protect files from people with su ability (https://www.linuxquestions.org/questions/linux-security-4/need-to-protect-files-from-people-with-su-ability-264870/)

Need to protect files from people with su ability

We are a software company where all the engineers have root access to their computers. Since they can be root, they can be anyone, and therefore can get at anyone's files. Is there a way to prevent this? I want people to have the root access they need to do their jobs, but I also want to protect them from nosey co-workers.

Then you should learn to use group permissions to allow some people access to some things and keep root privilages for yourself.

Could you be more specific?

I'm 100% sure you know more about this than me, so could you be more specific please. Given that the engineers have to be able to build systems, I have to put these systems on the LAN, and the engineers need to continue to have root privileges to do root-y things (mount stuff, install stuff), how could I use groups to facilitate all this so I can take away their ability to su to another user? Are there some references that you could recommend?

Thanks for your time :)

Well no, I don't know much. I'm just a balloon that happened to be floating by. rute has some stuff on groups. If you can find a copy of Running Linux that has some stuff about users and groups. But the situation you describe is complicated as mounting hardware may need root privilages, like you say. It depends on what it is thay need to mount. /etc/fstab can be setup to allow users to mount some things (read man mount for more details). Also supermount or submount can allow limited users to mount hardware (usb stuff, floppy disks). I'm sure there's a way through. The question is, is protecting peoples privacy worth the grief of working out all the details?

Came across this. You should read this guide. It looks like it could help you. (SUDO might be what you are looking for)

http://www.linuxsecurity.com/docs/LD...-security.html

Re: Need to protect files from people with su ability

Quote:

Originally posted by cotton213
We are a software company where all the engineers have root access to their computers. Since they can be root, they can be anyone, and therefore can get at anyone's files. Is there a way to prevent this? I want people to have the root access they need to do their jobs, but I also want to protect them from nosey co-workers.

If you're saying that the engineers have root access to their workstations, what's the problem? No one should be putting files on their workstations besides them. The only way this would be a problem is if you have one root password for every machine in the building, but that would be silly, and I assume that's not the case.

If you mean that the engineers have a group of boxes and they all use them, then none of them should have root. The only reason for a user to get root is a lazy admin, a horrible security policy, the user has cracking ability, or some mix of all of the above.

Having said all that, smnoel is probably pointing you down the right track. sudo is a great little utility. It lets me have root and the junior admins do all the things they would need to do in my absence, and nothing they wouldn't.