Since I kept receiving comments on my summary I'll include this addendum. > > 3. to be able to log onto other systems on the network as root. This was a typo as I do not want this user even getting close to the other systems so I apologize for the confusion this comment caused everyone. The recommendations that I listed will be used on a test system first. I am going to include a series of commands that the user will not be able to execute - for example, SHELLS because if I don't, there is nothing to prevent a user from creating a root shell if they have access to commands that are scripts or that allow shell escapes. If all of this fails, then I'll just continue to do what I have done all along which is nothing. Cheers, -deb -----Original Message----- From: Barbara Schelkle [mailto:barbara.schelkle@undp.org] Sent: Thursday, February 12, 2004 7:58 AM To: Santomauro, Deborah Subject: RE: SUMMARY - Assigning "root" privileges to a user Hi Deborah, > > User_Alias FULLTIMERS=user1,user2,user3.... > ... > FULLTIMERS ALL=NOPASSWD:ROOTSHELLS > > > This allows user1,user2,user3... to do 'sudo ksh' and have root perms, > but not to change root's pw. I think that's not true. As soon as a user has a root shell, he or she cannot be prevented from changing root's password. It also doesn't help much to prevent a user from using certain commands (like passwd) with root priviledge, as long as they have a shell with root priviledge. There are hundreds of ways to change root's password besides using the passwd command (eg using vi or cat or echo or ... to overwrite /etc/shadow) I can only recommend to test very carefully any solution that is recommended to you. From my knowledge, it is very difficult to give a user so many rights and prevent her or him from changing a specific file (/etc/shadow in this case). Good luck, Barbara -- Barbara Schelkle <barbara.schelkle@undp.org> +1 (212) 906-5070 PGP Key fingerprint = F3D9 19D7 D75F 4810 8D7A 78D5 5158 095B D644 6CC9 _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Thu Feb 12 12:19:30 2004
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:26 EST