Update - SUMMARY - Assigning "root" privileges to a user

From: Santomauro, Deborah <deborah.santomauro_at_lmco.com>
Date: Thu Feb 12 2004 - 12:19:41 EST
Since I kept receiving comments on my summary I'll include this addendum.

> > 3. to be able to log onto other systems on the network as root.
This was a typo as I do not want this user even getting close to the other
systems so I apologize for the confusion this comment caused everyone.

The recommendations that I listed will be used on a test system first. I am
going to include a series of commands that the user will not be able to
execute - for example, SHELLS because if I don't, there is nothing to
prevent a user from creating a root shell if they have access to commands
that are scripts or that allow shell escapes.  If all of this fails, then
I'll just continue to do what I have done all along which is nothing.  


-----Original Message-----
From: Barbara Schelkle [mailto:barbara.schelkle@undp.org] 
Sent: Thursday, February 12, 2004 7:58 AM
To: Santomauro, Deborah
Subject: RE: SUMMARY - Assigning "root" privileges to a user

Hi Deborah,

> User_Alias	FULLTIMERS=user1,user2,user3....
> ...
> This allows user1,user2,user3... to do 'sudo ksh' and have root perms,
> but not to change root's pw.

I think that's not true. As soon as a user has a root shell, he or she
cannot be prevented from changing root's password. It also doesn't help much
to prevent a user from using certain commands (like passwd) with root
priviledge, as long as they have a shell with root priviledge. There are
hundreds of ways to change root's password besides using the passwd command
(eg using vi or cat or echo or ... to overwrite /etc/shadow)

I can only recommend to test very carefully any solution that is recommended
to you. From my knowledge, it is very difficult to give a user so many
rights and prevent her or him from changing a specific file (/etc/shadow in
this case).

Good luck, Barbara

Barbara Schelkle <barbara.schelkle@undp.org> +1 (212) 906-5070 PGP Key
fingerprint = F3D9 19D7 D75F 4810 8D7A 78D5 5158 095B D644 6CC9
sunmanagers mailing list
Received on Thu Feb 12 12:19:30 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:26 EST