LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-08-2004, 07:09 PM   #1
BoldKiller
Member
 
Registered: Apr 2002
Location: Montreal, Quebec
Distribution: Debian, Gentoo, RedHat
Posts: 142

Rep: Reputation: 15
Root acces to multiple users


Hi there,

I was wondering if there was an easy way to give other users root acces.

Before I get lecture about the security impact, let me explain the reason I want to do this.

I maintaint the linux server on our network. Recently, my workload is a bit big! So a second person was found to assit me for a limited period of time. He will need root acces to be able to work. But I feel a little unconfortable to give my root password.

My point is, he wont be there for ever. I know I could change the root password after he leave, but I would like to avoid that. Espacilly since I may get supplementary help help in the future. Imagine a rotating team and constantly changing root password!! What a nightmare!

Any ideas that could ease my natural paranoia of giving my root password??


Thanks for the help, I really appeciate it.

P.S. By the way, I run Debian, in case you were wondering.
 
Old 01-08-2004, 08:09 PM   #2
speedracer05
Member
 
Registered: Jul 2002
Location: San Diego
Distribution: RH 8
Posts: 33

Rep: Reputation: 15
BoldKiller,

Have you considered Sudo? Sudo allows ordinary users to run commands as root using their own password:

http://www.courtesan.com/sudo/sudo.html
 
Old 01-08-2004, 08:29 PM   #3
BoldKiller
Member
 
Registered: Apr 2002
Location: Montreal, Quebec
Distribution: Debian, Gentoo, RedHat
Posts: 142

Original Poster
Rep: Reputation: 15
Looks interesting.
I have taken a quick look. If I understand it allows the authorized users to run any command that root can. The only "cost" is that you need to type sudo before the actual command.

I will look further into it. If ever I was not satisfactory, any other suggestions?

BTW, Thanks for the quick answer.
 
Old 01-10-2004, 06:19 PM   #4
Dataforce
Member
 
Registered: Nov 2003
Distribution: Redhat 9
Posts: 38

Rep: Reputation: 15
can't you just change the id in /etc/passwd to 0?

eg change:
df:x:32013:32013::/home/df:/bin/bash
to
df:x:32013:0::/home/df:/bin/bash

- I think thats it anyways, our security admin did that to make his account have root access (he changed one of the 32013 (or equiv) numbers to 0)

I think its adding it to the group 0 that does it iirc
 
Old 01-12-2004, 07:36 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
can't you just change the id in /etc/passwd to 0?
Changing gid is not a "best practice" solution, IMNSVHO it's a recipe for disaster: imagine the user fscks up a command or the account got cracked. I recommend anyone who needs additional users to do administrative tasks to NOT DO THIS but use sudo instead.

Dataforce, if you disagree, please tell me the pro's and con's of your solution. I'm always willing to learn something new.
 
Old 01-12-2004, 11:02 AM   #6
gruntwerk
Member
 
Registered: Dec 2003
Location: PA
Distribution: fc9
Posts: 89

Rep: Reputation: 15
Yes, sudo or wheel groups are probably your best bet to give access.
What type of tasks do you need the other user to do?
 
Old 01-12-2004, 07:03 PM   #7
BoldKiller
Member
 
Registered: Apr 2002
Location: Montreal, Quebec
Distribution: Debian, Gentoo, RedHat
Posts: 142

Original Poster
Rep: Reputation: 15
1- What do you mean by wheel groups??

2- As for the tasks needed to be done by the other user. Well, for the moment, disk maintenance stuff. Install a raid partition, set-up backup scripts. Prepare disaster recovery procedure (and test them)

3- As for the approach of changing the gid, would'nt I also need to change the uid? (Many files dont have write and execute for the group) In that way, the second user actully logs on as root, but with a different password?

I know it is not really a "secure" practice but in a situation where there are two admin, would'nt it be an effective way to be able to de-active the password of the second one when he leaves?

On the other hand, wont this change make the system behave strangely? I'm not familiar enough with the login process to predict the effects of having two users share the same uid.

Any advices?
 
Old 01-14-2004, 08:55 AM   #8
Dataforce
Member
 
Registered: Nov 2003
Distribution: Redhat 9
Posts: 38

Rep: Reputation: 15
Changing the GID seems to work perfectly for us, it allows our admin user to do most tasks he needs, and else he can simply su to root or what ever.

Sure its not the most secure method, but it allows the other admin user, the access he needs, he can perform kernel upgrades, and anything we need, and we don't need to disclose our root password, so imo, where as it possibly lacks in security, it gains in practicality.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Basic Acces given by root to user Mercurius Linux - Newbie 2 10-17-2005 09:07 PM
RHEL3 Mounting USB after reboot and between reboots: root and non-root users Luis Nunes Linux - Hardware 0 07-20-2005 08:32 AM
Multiple users with the same name...users command buldir Linux - General 2 08-30-2004 04:34 PM
[FC2]Why does the users command display multiple users? Harkov Fedora 1 07-10-2004 09:24 PM
Only root can acces this partition!? benjalien Mandriva 3 10-30-2003 10:30 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:14 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration