Update - SUMMARY - Assigning "root" privileges to a user

From: Santomauro, Deborah (deborah.santomauro@lmco.com)
Date: Thu Feb 12 2004 - 12:13:19 EST

• Next message: Paul Greidanus: "Solaris 9 pre-release upgrade"
• Previous message: Santomauro, Deborah: "SUMMARY - Assigning "root" privileges to a user"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Since I kept receiving comments on my summary I'll include this addendum.

> > 3. to be able to log onto other systems on the network as root.
This was a typo as I do not want this user even getting close to the other
systems so I apologize for the confusion this comment caused everyone.

The recommendations that I listed will be used on a test system first. I am
going to include a series of commands that the user will not be able to
execute - for example, SHELLS because if I don't, there is nothing to
prevent a user from creating a root shell if they have access to commands
that are scripts or that allow shell escapes. If all of this fails, then
I'll just continue to do what I have done all along which is nothing.

Cheers,
-deb

-----Original Message-----
From: Barbara Schelkle [mailto:barbara.schelkle@undp.org]
Sent: Thursday, February 12, 2004 7:58 AM
To: Santomauro, Deborah
Subject: RE: SUMMARY - Assigning "root" privileges to a user

Hi Deborah,

>
> User_Alias FULLTIMERS=user1,user2,user3....
> ...
> FULLTIMERS ALL=NOPASSWD:ROOTSHELLS
>
>
> This allows user1,user2,user3... to do 'sudo ksh' and have root perms,
> but not to change root's pw.

I think that's not true. As soon as a user has a root shell, he or she
cannot be prevented from changing root's password. It also doesn't help much
to prevent a user from using certain commands (like passwd) with root
priviledge, as long as they have a shell with root priviledge. There are
hundreds of ways to change root's password besides using the passwd command
(eg using vi or cat or echo or ... to overwrite /etc/shadow)

I can only recommend to test very carefully any solution that is recommended
to you. From my knowledge, it is very difficult to give a user so many
rights and prevent her or him from changing a specific file (/etc/shadow in
this case).

Good luck, Barbara

--
Barbara Schelkle <barbara.schelkle@undp.org> +1 (212) 906-5070 PGP Key
fingerprint = F3D9 19D7 D75F 4810 8D7A 78D5 5158 095B D644 6CC9
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Paul Greidanus: "Solaris 9 pre-release upgrade"
• Previous message: Santomauro, Deborah: "SUMMARY - Assigning "root" privileges to a user"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:28:02 EDT