Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ok, here's my situation. I'm a SA for several hundred Linux servers. One of our departments major rules is that we simply do NOT share root. PERIOD.
This has worked well, and I have been the "Great Wall of No" at work for quite some time.
However, now politics are involved. We have a couple of clusters that are running Oracle. If you're familiar with Oracle you know that it basically has to be installed as root. Something I detest. anyway, when we are building out the box, we change the root pw and give it to the DBA team to do their installs and configs. When they are done, we change the root pw (and do not give it to them), and configure sudo to allow them the rights needed to manage Oracle and their databases.
Now however, we have a different situation. The DBAs need access to uninstall and reinstall components and make modifications on an ongoing basis. Since we only support OS and hardware, not app, they are requesting permanent root access. I promptly told them no, and the politics ensued. Their manager went to their director, who went to my director, and suddenly an exception is given for his good golfing buddy.
So here I am, forced to turn lose DBAs on my clusters with full root access/pw. Unless you guys can help me find a *LEGAL* way to do that which I think is impossible.
I need a way to allow specific users (or perhaps a specific user group) the ability to become root WITHOUT sharing the root pw with them.
I'm screwed, aren't I?
Click here to see the post LQ members have rated as the most helpful post in this thread.
Well to cut a long story short... use sudo. it does *exactly* what you're asking for, that's it's reason for existing. You don't use the root password in sudo, you use your own. "man sudoers" for more details.
Note: sudo CAN be configured to ask for the root password, but only SLES 10 does that by default (which you can change). Everybody else asks for the user's password.
Next to practical Sudo usage I would like to point out the benefit of having an isolated staging area: it may allow you to recover more easily from breakage, monitor (ab)use and track completed RFC's. You then transfer those to the separate production environment only you have access to.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.