Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
11-23-2010, 06:38 AM
|
#1
|
Member
Registered: Dec 2009
Location: Bristol, UK
Distribution: Ubuntu, Debian, Arch.
Posts: 152
Rep:
|
Backdoor to server?
Hi there
I have a Debian VPS webserver running a forum, and I'm currently looking for a secondary tech-admin. Since they'll have to have the root password for the server, I'm looking for a way to create a backdoor account that I can use to get in if they divulge the root password, or go crazy and lock me out.
Is there a way to do it?
Thanks!
Joe.
|
|
|
11-23-2010, 07:00 AM
|
#2
|
LQ 5k Club
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Debian
Posts: 8,578
|
Do you have physical access to the server?
|
|
1 members found this post helpful.
|
11-23-2010, 07:03 AM
|
#3
|
Member
Registered: Dec 2009
Location: Bristol, UK
Distribution: Ubuntu, Debian, Arch.
Posts: 152
Original Poster
Rep:
|
No, it's a VPS on another continent
|
|
|
11-23-2010, 08:13 AM
|
#4
|
Member
Registered: Jun 2005
Location: UK
Distribution: Debian
Posts: 189
Rep:
|
Work out what it is you want them to be able to do and then set that up with the sudo command. As time goes on you can add more commands with root privileges as needs be.
Sudo also gives you the added bonus of logging all the privileged commands that get executed.
Personally if you can't 100% trust someone don't give them root access.
|
|
3 members found this post helpful.
|
11-23-2010, 08:42 AM
|
#5
|
Senior Member
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
|
catkin asks the right 1st question.
The only thing that trumps root is physical access. You want an acct. that can do everything root can do, except change the root password. I think your choices are: - trust your appointee(s),
- learn more about the original intent of sudo & the sudoers file than I care to, or
- be prepared to pay -- possibly through the nose -- your hosting service for on-site maintenance in the event of disaster.
Edit: redgoblin posted while I was still writing (& Hangdog42 while I am editing), sorry for any duplication.
I like the idea of gradual additions to their privileges.
"Limiting their ability to do damage is much more productive than trying to clean up a mess afterward." is especially good advice.
I have a part in the group administration of several servers & am very interested in this. I would welcome posts of specific methods.
Last edited by archtoad6; 11-23-2010 at 08:56 AM.
|
|
|
11-23-2010, 08:47 AM
|
#6
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
Quote:
Originally Posted by redgoblin
Work out what it is you want them to be able to do and then set that up with the sudo command. As time goes on you can add more commands with root privileges as needs be.
Sudo also gives you the added bonus of logging all the privileged commands that get executed.
Personally if you can't 100% trust someone don't give them root access.
|
This is the way you handle the situation. The sudo command was designed to do exactly what you need. Looking for a backdoor to install probably wont' work since if they have the expertise to lock you out, they probably have the expertise to make sure that you can't use any back door. For example, what if they raised a firewall that only allowed SSH access from certain IP addresses? Or set up SSH to recognize only their account?
Limiting their ability to do damage is much more productive than trying to clean up a mess afterward.
|
|
|
11-23-2010, 09:19 AM
|
#7
|
LQ Guru
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, VSIDO, tinycore, Q4OS, Manjaro
Posts: 6,058
|
root access
It is not just a matter of trust: I am reluctant to give ANYONE the root account. I refuse to use it myself when anything else will serve. I log in as myself and use SUDO for logged and controlled access escalation.
I also use other tools so that I can extract a daily log of every command line that was executed at shell that day: but I am a paranoid old coot.
Last edited by wpeckham; 11-23-2010 at 09:21 AM.
|
|
|
11-23-2010, 03:06 PM
|
#8
|
Member
Registered: Dec 2009
Location: Bristol, UK
Distribution: Ubuntu, Debian, Arch.
Posts: 152
Original Poster
Rep:
|
Thanks, I'll check out using sudo! I'd thought about it, but didn't know it was so flexible. (I assumed it was mainly used to stop the bruteforcing of the root account over SSH and the like). All they'll need to be able to do is edit forum configuration files and install styles/modifications, so I guess I can just let them use root privileges in /var/www. Can I do that using sudo?
|
|
|
11-23-2010, 03:51 PM
|
#9
|
LQ Guru
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 27,420
|
Quote:
Originally Posted by Joe of Loath
Thanks, I'll check out using sudo! I'd thought about it, but didn't know it was so flexible. (I assumed it was mainly used to stop the bruteforcing of the root account over SSH and the like). All they'll need to be able to do is edit forum configuration files and install styles/modifications, so I guess I can just let them use root privileges in /var/www. Can I do that using sudo?
|
Easily. You can even get VERY granular, and permit them to run only certain commands. For example, you can deny "vi /etc/shadow", but allow "vi /var/www/form.html".
Think VERY hard about the commands, though. It might seem like a good idea to permit "mkdir" or "cp" commands...but then there's nothing stopping them from running "sudo cp edited-shadow-file /etc/shadow", and removing the root password, for example. The fewer commands allow, the better. And if THEY have access to the box...what will stop them from booting from CD-ROM into single-user mode, and changing the password?
|
|
|
11-24-2010, 06:23 AM
|
#10
|
Senior Member
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
|
Quote:
Originally Posted by Joe of Loath
Thanks, I'll check out using sudo! I'd thought about it, but didn't know it was so flexible. (I assumed it was mainly used to stop the bruteforcing of the root account over SSH and the like).
|
Is this by any chance a result of experience w/ *buntu?
Quote:
Originally Posted by Joe of Loath
All they'll need to be able to do is edit forum configuration files and install styles/modifications, so I guess I can just let them use root privileges in /var/www.
|
Why root? -- Look at the -u option.
Who, user & group, owns /var/www on your system? Show us the result of:
You want to find the simplest, lowest privilege way of accomplishing your goal. It may be as easy as letting these webserver maintainers sudo to become the system account which controls /var/www/.
From /etc/passwd on my MEPIS desktop box:
Code:
www-data:x:<N>:<M>:www-data:/var/www:/bin/sh
Now there is no /var/www/ on my system, so I can't show its ownership; but there is a "www-data" group as well as user, I suspect the ownership of /var/www/ would be root:www-data.
Quote:
Originally Posted by Joe of Loath
Can I do that using sudo?
|
It appears so.
|
|
|
11-24-2010, 04:21 PM
|
#11
|
ELF Statifier author
Registered: Oct 2007
Posts: 676
Rep:
|
Quote:
Originally Posted by TB0ne
Easily. You can even get VERY granular, and permit them to run only certain commands. For example, you can deny "vi /etc/shadow", but allow "vi /var/www/form.html".
|
Not so easily. vi (from the sudo point of view) has two problems:
1. Ability to change edited file/write to any file, not just the one specified on the command line
2. shell escape (i.e from vi which is run as root) you can execute any command of course as root too.
Second problem can be dealt with by using noexec option (or something like this) in the sudoers file
First one (and second too) by using sudoedit.
While allowing to edit only one file doable it's not that obvious.
Last edited by Valery Reznic; 11-26-2010 at 01:34 PM.
|
|
|
11-25-2010, 10:05 PM
|
#12
|
LQ Guru
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 27,420
|
Quote:
Originally Posted by Valery Reznic
Not so easily. v (from the sudo point of view) has two problems:
1. Ability to change edited file/write to any file, not just the one specified on the command line
2. shell escape (i.e from vi which is run as root) you can execute any command of course as root too.
Second problem can be dealt with by using noexec option (or something like this) in the sudoers file
First one (and second too) by using sudoedit.
While allowing to edit only one file doable it's not that obvious.
|
Right...it was only an example, and was also followed up with "Think VERY hard about the commands, though.".
|
|
|
11-26-2010, 01:34 PM
|
#13
|
ELF Statifier author
Registered: Oct 2007
Posts: 676
Rep:
|
Quote:
Originally Posted by TB0ne
Right...it was only an example, and was also followed up with "Think VERY hard about the commands, though.".
|
I just wanted to get more details to your "Think VERY hard about the commands, though." part.
No attack intended.
Valery.
|
|
|
11-26-2010, 06:14 PM
|
#14
|
Member
Registered: Dec 2009
Location: Bristol, UK
Distribution: Ubuntu, Debian, Arch.
Posts: 152
Original Poster
Rep:
|
Quote:
Originally Posted by TB0ne
Easily. You can even get VERY granular, and permit them to run only certain commands. For example, you can deny "vi /etc/shadow", but allow "vi /var/www/form.html".
Think VERY hard about the commands, though. It might seem like a good idea to permit "mkdir" or "cp" commands...but then there's nothing stopping them from running "sudo cp edited-shadow-file /etc/shadow", and removing the root password, for example. The fewer commands allow, the better. And if THEY have access to the box...what will stop them from booting from CD-ROM into single-user mode, and changing the password?
|
No way anyone can access the server, it's virtualised and in Egypt XD
Quote:
Originally Posted by archtoad6
Is this by any chance a result of experience w/ *buntu?
Who, user & group, owns /var/www on your system? Show us the result of:
You want to find the simplest, lowest privilege way of accomplishing your goal. It may be as easy as letting these webserver maintainers sudo to become the system account which controls /var/www/.
|
Funnily enough, yes XD I use it on any box that is used by someone other than me.
I've tried many a time to change ownership of /var/www to a different user, but never managed it. I need to spend more time on it, really.
|
|
|
11-27-2010, 12:08 PM
|
#15
|
Senior Member
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
|
Quote:
Originally Posted by Joe of Loath
No way anyone can access the server, it's virtualised and in Egypt XD
...
Funnily enough, yes XD I use it on any box that is used by someone other than me.
|
What does "XD" mean in this context?
Quote:
Originally Posted by Joe of Loath
I've tried many a time to change ownership of /var/www to a different user, but never managed it. I need to spend more time on it, really.
|
Never mind changing it for now, let's see if we can work around it -- please post the result of:
|
|
|
All times are GMT -5. The time now is 02:51 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|