Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We are a software company where all the engineers have root access to their computers. Since they can be root, they can be anyone, and therefore can get at anyone's files. Is there a way to prevent this? I want people to have the root access they need to do their jobs, but I also want to protect them from nosey co-workers.
I'm 100% sure you know more about this than me, so could you be more specific please. Given that the engineers have to be able to build systems, I have to put these systems on the LAN, and the engineers need to continue to have root privileges to do root-y things (mount stuff, install stuff), how could I use groups to facilitate all this so I can take away their ability to su to another user? Are there some references that you could recommend?
Well no, I don't know much. I'm just a balloon that happened to be floating by. rute has some stuff on groups. If you can find a copy of Running Linux that has some stuff about users and groups. But the situation you describe is complicated as mounting hardware may need root privilages, like you say. It depends on what it is thay need to mount. /etc/fstab can be setup to allow users to mount some things (read man mount for more details). Also supermount or submount can allow limited users to mount hardware (usb stuff, floppy disks). I'm sure there's a way through. The question is, is protecting peoples privacy worth the grief of working out all the details?
Re: Need to protect files from people with su ability
Quote:
Originally posted by cotton213 We are a software company where all the engineers have root access to their computers. Since they can be root, they can be anyone, and therefore can get at anyone's files. Is there a way to prevent this? I want people to have the root access they need to do their jobs, but I also want to protect them from nosey co-workers.
If you're saying that the engineers have root access to their workstations, what's the problem? No one should be putting files on their workstations besides them. The only way this would be a problem is if you have one root password for every machine in the building, but that would be silly, and I assume that's not the case.
If you mean that the engineers have a group of boxes and they all use them, then none of them should have root. The only reason for a user to get root is a lazy admin, a horrible security policy, the user has cracking ability, or some mix of all of the above.
Having said all that, smnoel is probably pointing you down the right track. sudo is a great little utility. It lets me have root and the junior admins do all the things they would need to do in my absence, and nothing they wouldn't.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.