Sponsored Content
Operating Systems Linux Disable switching to root alternatives Post 302757343 by bakunin on Thursday 17th of January 2013 11:45:18 AM
Old 01-17-2013
Quote:
Originally Posted by jabalv
Do anyone have idea how to block switching to root if user have full sudo?
I don't quite get it: why does the user have "full sudo" (i assume this to mean he can use every command) if he should not be allowed to become root?

If you don't want someone to utilize "full sudo", then just don't give hime "full sudo". If you get into a situation where you have no other choice than to do that you probably have made a serious error in your rights concept long ago. I suggest you reconsider/redo this instead of patching your environment into something which "almost looks like working".

If you bake a cake and you have forgotten the backery improver, you probably end up with a thing of the consistency of a stone. To grind this thing down to powder, add water and the forgotten bakery improver and expecting this to bake to a (tasting) cake is similarly doomed to disenthrall your expectancies. The only way is to start over and do it right this time.

I hope this helps.

bakunin
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Disable Root Console login

After Configuring a brand new netraT1, It appears, the only way you can log in as root is throught the Serial Port (console). I believe there is a file in /etc which can be edited to allow root to access login via other methods eg: telnet, ssh, etc. My Question: Which file contains... (2 Replies)
Discussion started by: SmartJuniorUnix
2 Replies

2. Shell Programming and Scripting

switching between root and a normal user

I am writing a script that has some tasks that must be run as root, then set of tasks to be run as normal user, then again as root. is there a way to switch between users in a script? any other alternatives? thx (3 Replies)
Discussion started by: melanie_pfefer
3 Replies

3. Shell Programming and Scripting

switching user from root to ordinary user

Good day Guys!!! I am currently making a script in AIX, the script runs a SAS job, the owner of the script is the root, but the SAS jobs cannot be run by the root, as it should be run by a user 'sasia'. But inside the script, root creates a logfile, so what I need is just to su to sasia for the... (3 Replies)
Discussion started by: sasia
3 Replies

4. Solaris

Root account - disable expiry

I couldnt find this in any other post - so hoping someone can help out. I want to set password expiry (or rather I have to) for a number of users on my solaris 9 system. I know i can set the following options in the /etc/default/passwd file to do it and then just type a passwd -f <username> to... (6 Replies)
Discussion started by: frustrated1
6 Replies

5. UNIX for Dummies Questions & Answers

Disable root for AIX 5.2

I am able to disable direct root login through telnet. But when I add the rlogin = false into the /etc/security/user file. I am unable to log in as root from ssh. I uncommented the "PermitRootLogin yes" in the sshd_config file. Still can't log in. Can anyone help? (0 Replies)
Discussion started by: james0125
0 Replies

6. Linux

ssh - disable direct root login

Hi Guys.... I am a newbie to unix. I have a requirement. I have a server. I have to configure ssh to disable direct root login and then add a user with sudo access to this server.Then change the ssh port to 22315 and the server should permit the ssh only from my local machine ip.I also have to... (1 Reply)
Discussion started by: mahesh_raghu
1 Replies

7. UNIX for Dummies Questions & Answers

How to disable root login (Not over SSH)?

I have already disabled root login over the ssh by modifying /etc/ssh/sshd_config. But how would i disable root login on a server itself. We have implemented LDAP in our environment and our security guide states that root login must be obtained by first logging into the host using his/her own... (2 Replies)
Discussion started by: pinga123
2 Replies

8. Red Hat

SSL/TLS renegotiation DoS -how to disable? Is it advisable to disable?

Hi all Expertise, I have following issue to solve, SSL / TLS Renegotiation DoS (low) 222.225.12.13 Ease of Exploitation Moderate Port 443/tcp Family Miscellaneous Following is the problem description:------------------ Description The remote service encrypts traffic using TLS / SSL and... (2 Replies)
Discussion started by: manalisharmabe
2 Replies

9. AIX

AIX Disable direct root login problems

I have disabled rlogin for root successfully , but after that i could not login to root from console and could not su to root from other users as it responded as expired account I did not have any admin user but I have managed to recover the situation by accessing rootvg before mounting it, but... (5 Replies)
Discussion started by: majd_ece
5 Replies

10. UNIX for Dummies Questions & Answers

Switching from root to normal user takes me to user's home dir

Whenever i switch from root to another user, by doing su - user, it takes me to home directory of user. This is very annoying as i want to be in same dir to run different commands as root sometimes and sometimes as normal user. How to fix this? (1 Reply)
Discussion started by: syncmaster
1 Replies
SSSD-SUDO(5)						   File Formats and Conventions 					      SSSD-SUDO(5)

NAME
sssd-sudo - Configuring sudo with the SSSD back end DESCRIPTION
This manual page describes how to configure sudo(8) to work with sssd(8) and how SSSD caches sudo rules. CONFIGURING SUDO TO COOPERATE WITH SSSD
To enable SSSD as a source for sudo rules, add sss to the sudoers entry in nsswitch.conf(5). For example, to configure sudo to first lookup rules in the standard sudoers(5) file (which should contain rules that apply to local users) and then in SSSD, the nsswitch.conf file should contain the following line: sudoers: files sss More information about configuring the sudoers search order from the nsswitch.conf file as well as information about the LDAP schema that is used to store sudo rules in the directory can be found in sudoers.ldap(5). Note: in order to use netgroups or IPA hostgroups in sudo rules, you also need to correctly set nisdomainname(1) to your NIS domain name (which equals to IPA domain name when using hostgroups). CONFIGURING SSSD TO FETCH SUDO RULES
All configuration that is needed on SSSD side is to extend the list of services with "sudo" in [sssd] section of sssd.conf(5). To speed up the LDAP lookups, you can also set search base for sudo rules using ldap_sudo_search_base option. The following example shows how to configure SSSD to download sudo rules from an LDAP server. [sssd] config_file_version = 2 services = nss, pam, sudo domains = EXAMPLE [domain/EXAMPLE] id_provider = ldap sudo_provider = ldap ldap_uri = ldap://example.com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com When the SSSD is configured to use IPA as the ID provider, the sudo provider is automatically enabled. The sudo search base is configured to use the compat tree (ou=sudoers,$DC). THE SUDO RULE CACHING MECHANISM
The biggest challenge, when developing sudo support in SSSD, was to ensure that running sudo with SSSD as the data source provides the same user experience and is as fast as sudo but keeps providing the most current set of rules as possible. To satisfy these requirements, SSSD uses three kinds of updates. They are referred to as full refresh, smart refresh and rules refresh. The smart refresh periodically downloads rules that are new or were modified after the last update. Its primary goal is to keep the database growing by fetching only small increments that do not generate large amounts of network traffic. The full refresh simply deletes all sudo rules stored in the cache and replaces them with all rules that are stored on the server. This is used to keep the cache consistent by removing every rule which was deleted from the server. However, full refresh may produce a lot of traffic and thus it should be run only occasionally depending on the size and stability of the sudo rules. The rules refresh ensures that we do not grant the user more permission than defined. It is triggered each time the user runs sudo. Rules refresh will find all rules that apply to this user, check their expiration time and redownload them if expired. In the case that any of these rules are missing on the server, the SSSD will do an out of band full refresh because more rules (that apply to other users) may have been deleted. If enabled, SSSD will store only rules that can be applied to this machine. This means rules that contain one of the following values in sudoHost attribute: o keyword ALL o wildcard o netgroup (in the form "+netgroup") o hostname or fully qualified domain name of this machine o one of the IP addresses of this machine o one of the IP addresses of the network (in the form "address/mask") There are many configuration options that can be used to adjust the behavior. Please refer to "ldap_sudo_*" in sssd-ldap(5) and "sudo_*" in sssd.conf(5). SEE ALSO
sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-sudo(5),sss_cache(8), sss_debuglevel(8), sss_groupadd(8), sss_groupdel(8), sss_groupshow(8), sss_groupmod(8), sss_useradd(8), sss_userdel(8), sss_usermod(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8),pam_sss(8). AUTHORS
The SSSD upstream - http://fedorahosted.org/sssd SSSD
06/17/2014 SSSD-SUDO(5)
All times are GMT -4. The time now is 01:02 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy