Root acces to multiple users
 

Hi there,

I was wondering if there was an easy way to give other users root acces.

Before I get lecture about the security impact, let me explain the reason I want to do this.

I maintaint the linux server on our network. Recently, my workload is a bit big! So a second person was found to assit me for a limited period of time. He will need root acces to be able to work. But I feel a little unconfortable to give my root password.

My point is, he wont be there for ever. I know I could change the root password after he leave, but I would like to avoid that. Espacilly since I may get supplementary help help in the future. Imagine a rotating team and constantly changing root password!! What a nightmare!

Any ideas that could ease my natural paranoia of giving my root password??


Thanks for the help, I really appeciate it.

P.S. By the way, I run Debian, in case you were wondering.

BoldKiller,

Have you considered Sudo? Sudo allows ordinary users to run commands as root using their own password:

http://www.courtesan.com/sudo/sudo.html

Looks interesting.
I have taken a quick look. If I understand it allows the authorized users to run any command that root can. The only "cost" is that you need to type sudo before the actual command.

I will look further into it. If ever I was not satisfactory, any other suggestions?

BTW, Thanks for the quick answer.

can't you just change the id in /etc/passwd to 0?

eg change:
df:x:32013:32013::/home/df:/bin/bash
to
df:x:32013:0::/home/df:/bin/bash

- I think thats it anyways, our security admin did that to make his account have root access (he changed one of the 32013 (or equiv) numbers to 0)

I think its adding it to the group 0 that does it iirc

can't you just change the id in /etc/passwd to 0?
Changing gid is not a "best practice" solution, IMNSVHO it's a recipe for disaster: imagine the user fscks up a command or the account got cracked. I recommend anyone who needs additional users to do administrative tasks to NOT DO THIS but use sudo instead.

Dataforce, if you disagree, please tell me the pro's and con's of your solution. I'm always willing to learn something new.

Yes, sudo or wheel groups are probably your best bet to give access.
What type of tasks do you need the other user to do?

1- What do you mean by wheel groups??

2- As for the tasks needed to be done by the other user. Well, for the moment, disk maintenance stuff. Install a raid partition, set-up backup scripts. Prepare disaster recovery procedure (and test them)

3- As for the approach of changing the gid, would'nt I also need to change the uid? (Many files dont have write and execute for the group) In that way, the second user actully logs on as root, but with a different password?

I know it is not really a "secure" practice but in a situation where there are two admin, would'nt it be an effective way to be able to de-active the password of the second one when he leaves?

On the other hand, wont this change make the system behave strangely? I'm not familiar enough with the login process to predict the effects of having two users share the same uid.

Any advices?

Changing the GID seems to work perfectly for us, it allows our admin user to do most tasks he needs, and else he can simply su to root or what ever.

Sure its not the most secure method, but it allows the other admin user, the access he needs, he can perform kernel upgrades, and anything we need, and we don't need to disclose our root password, so imo, where as it possibly lacks in security, it gains in practicality.