• Part I
  • sun managers I
• Part D
  • sun managers D
• Part L
  • sun managers L
• Part H
  • sun managers H
• Part B
  • sun managers B
• Part E
  • sun managers E
• Part J
  • sun managers J
• Part F
  • sun managers F
• Part C
  • sun managers C
• Part K
  • sun managers K

SITEMAP

Update - SUMMARY - Assigning "root" privileges to a user

Since I kept receiving comments on my summary I'll include this addendum.

> > 3. to be able to log onto other systems on the network as root.
This was a typo as I do not want this user even getting close to the other
systems so I apologize for the confusion this comment caused everyone.

The recommendations that I listed will be used on a test system first. I am
going to include a series of commands that the user will not be able to
execute - for example, SHELLS because if I don't, there is nothing to
prevent a user from creating a root shell if they have access to commands
that are scripts or that allow shell escapes. If all of this fails, then
I'll just continue to do what I have done all along which is nothing.

Cheers,
-deb

-----Original Message-----
From: Barbara Schelkle [mailto:barbara.schelkle at undp.org]
Sent: Thursday, February 12, 2004 7:58 AM
To: Santomauro, Deborah
Subject: RE: SUMMARY - Assigning "root" privileges to a user

Hi Deborah,

>
> User_Alias FULLTIMERS=user1,user2,user3....
> ...
> FULLTIMERS ALL=NOPASSWD:ROOTSHELLS
>
>
> This allows user1,user2,user3... to do 'sudo ksh' and have root perms,
> but not to change root's pw.

I think that's not true. As soon as a user has a root shell, he or she
cannot be prevented from changing root's password. It also doesn't help much
to prevent a user from using certain commands (like passwd) with root
priviledge, as long as they have a shell with root priviledge. There are
hundreds of ways to change root's password besides using the passwd command
(eg using vi or cat or echo or ... to overwrite /etc/shadow)

I can only recommend to test very carefully any solution that is recommended
to you. From my knowledge, it is very difficult to give a user so many
rights and prevent her or him from changing a specific file (/etc/shadow in
this case).

Good luck, Barbara

--
Barbara Schelkle <barbara.schelkle at undp.org> +1 (212) 906-5070 PGP Key
fingerprint = F3D9 19D7 D75F 4810 8D7A 78D5 5158 095B D644 6CC9

Comments

"sun managers F [Part F]" Sponsored Links

• "sun managers F [Part F]" New Questiones!

  • Unzip in Solaris 8 greater than 2gb
  • Unsolved - SUMMARY : OpenSSH on Solaris slow
  • UNPDATE1: strange df result
  • unowned LUN
  • Unlocking a NIS+ account
  • Unknown Open Port
  • Unknown error on Solaris 2.8
  • Unknown Error message
  • Unknown erorr occured in sun ultra2
  • Unk error code from patch install
  • Unix, Oracle9iAS Release2 requires a running X Server for image generation needs
  • unix warning question
  • UNIX System Crash Dump Analysis Books?
  • UNIX pop-up Window with a security warning
  • Uninstall Forte
  • Undoing a cluster
  • Undeleting Files
  • undefined variable
  • Uncorrectable memory error
  • unassisted vxrestore

Copyright © 2008 thatsjava.com • All rights reserved • CMS Theme by WebmasterFund.com - 0.25