Hi ,
I'd like to configure one power user in Redhat Linux and would like to grant permission to do almost anything without using sudo. My concern is I don't want to give anyone "root" password but want someone to do almost everything like "root" account using this newly created power user account. Kindly guide how to configure.

Hello,

Can you tell us why you don't like to use sudo? Sudo is just the tool for the job, to control to what a user has access. You could create a user and force the UID to 0, that way that user will have the same 'powers' as root, but that would be just the same as using root. If you could indicate what you have against using sudo and what your needs are then we might be able to point you to a solution.

Kind regards,

Eric

Ya, EricTRA is right. One way is to use sudo and I think it is the best way.

Sudo can be configured so the power user has to enter his own password, not root's.

It's the right tool for the job, since what you describe is exactly what it was created for.

Hi EricTRA,
Thanks for your helpful answer.
My concern is that if I grant something ( commands ) to power user inside the "visudo" file , it will basically affect to the whole system and the power user can execute using sudo anywhere in the system . The customer don't want to this power user get that kind of system wide permission. But the customer want that power user restrict on that particular non system folder inside the system only. Anyway I have granted full access right for that folder for power user. Is that possible ? Thanks.

Hi,

Have you looked at some documentation about sudo? What you want to do can be obtained with sudo by configuring it correctly. Here's an example of what you might need to get what you want.

Kind regards,

Eric

EricTRA,
Thanks for your reference. I have gone through the document that you have provided. My requirement could be a bit different. The power user need to delete files which belongs to other users inside /DATA folder for the purpose of house keeping. But if I grant this power user
"sudo rm" , he will have access to delete any files inside the whole system. That will be the security breach already.

Hello,

You're welcome. You can also limit the commands a user can use to a directory. But maybe ACL is more suited for your needs. Have a look at these two links:
Linux File Security
Know your rights

With the tools explained in those two articles you can define lots of access control lists which will get you far more protection than the standard file permissions. Hope it helps.

Kind regards,

Eric

Yeah, granting root authority to rm is not the way to accomplish this. Here are some alternatives:

1) Use ACLs (as described above).
2) Use sudo, but not as root. Grant the group of power users sudo rights to a service account that has delete rights in the /DATA folder.
3) Create scripts that perform the necessary housekeeping routines, and rather than giving the power users sudo rights to the rm command, give them sudo rights to the scripts that execute rm. This gives you the opportunity to fence them into your pre-determined usage of rm.

And if we're talking about routine housekeeping, then the best solution is to use option 3 and execute from cron.

Use sudo, but not as root. Grant the group of power users sudo rights to a service account that has delete rights in the /DATA folder.

IT_GUY ( Could you please elaborate more on this? How do I grant sudo but not as root ? And who are the service account ? )

You could use
on the DATA dir and add that user to the group. Possibly even make him the owner of that dir.

Incidentally, the default for sudo is that the user supplies his own passwd, not root passwd. However, as above, this is not really the way to solve your problem.