Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Disable switching to root alternatives
Operating Systems Linux Disable switching to root alternatives Post 302758473 by bakunin on Saturday 19th of January 2013 03:30:02 PM
Old 01-19-2013
Quote:
Originally Posted by jabalv
Full sudo is for server administrators, but sometimes there are some people who don`t understand what they are doing or just making mistakes.
These shouldn't be server administrators at all! Admins should only be a VERY FEW select people who have proven their skill, everything else is just plain dangerous.

Quote:
Originally Posted by jabalv
Also other thing is that, root activities are not logged, but sudo activities are logged under /var/log/secure. How to fight against it?
This is a no-brainer: start an interactive program as root which allows a shell escape and then do a shell escape - you have a root shell. For instance: "sudo vi", enter ":!sh" and you have a root shell. What one does inside this shell (and even that he opened the shell) is not seen at all in "/var/log/secure". Or one can trim the file after doing something, because root has write access to the log.

It is an old proverbial truth that root can circumvent absolutely any security mechanism as long as it is server-based. The only thing you can do is to log outside of the area of roots control: on another system, where root is not allowed to become root. See the man page of "syslog" for the possibility to do the logging over the network to a remote system.

I hope this helps.

bakunin
This User Gave Thanks to bakunin For This Post:
jabalv
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Disable Root Console login

After Configuring a brand new netraT1, It appears, the only way you can log in as root is throught the Serial Port (console). I believe there is a file in /etc which can be edited to allow root to access login via other methods eg: telnet, ssh, etc. My Question: Which file contains... (2 Replies)
Discussion started by: SmartJuniorUnix
2 Replies

2. Shell Programming and Scripting

switching between root and a normal user

I am writing a script that has some tasks that must be run as root, then set of tasks to be run as normal user, then again as root. is there a way to switch between users in a script? any other alternatives? thx (3 Replies)
Discussion started by: melanie_pfefer
3 Replies

3. Shell Programming and Scripting

switching user from root to ordinary user

Good day Guys!!! I am currently making a script in AIX, the script runs a SAS job, the owner of the script is the root, but the SAS jobs cannot be run by the root, as it should be run by a user 'sasia'. But inside the script, root creates a logfile, so what I need is just to su to sasia for the... (3 Replies)
Discussion started by: sasia
3 Replies

4. Solaris

Root account - disable expiry

I couldnt find this in any other post - so hoping someone can help out. I want to set password expiry (or rather I have to) for a number of users on my solaris 9 system. I know i can set the following options in the /etc/default/passwd file to do it and then just type a passwd -f <username> to... (6 Replies)
Discussion started by: frustrated1
6 Replies

5. UNIX for Dummies Questions & Answers

Disable root for AIX 5.2

I am able to disable direct root login through telnet. But when I add the rlogin = false into the /etc/security/user file. I am unable to log in as root from ssh. I uncommented the "PermitRootLogin yes" in the sshd_config file. Still can't log in. Can anyone help? (0 Replies)
Discussion started by: james0125
0 Replies

6. Linux

ssh - disable direct root login

Hi Guys.... I am a newbie to unix. I have a requirement. I have a server. I have to configure ssh to disable direct root login and then add a user with sudo access to this server.Then change the ssh port to 22315 and the server should permit the ssh only from my local machine ip.I also have to... (1 Reply)
Discussion started by: mahesh_raghu
1 Replies

7. UNIX for Dummies Questions & Answers

How to disable root login (Not over SSH)?

I have already disabled root login over the ssh by modifying /etc/ssh/sshd_config. But how would i disable root login on a server itself. We have implemented LDAP in our environment and our security guide states that root login must be obtained by first logging into the host using his/her own... (2 Replies)
Discussion started by: pinga123
2 Replies

8. Red Hat

SSL/TLS renegotiation DoS -how to disable? Is it advisable to disable?

Hi all Expertise, I have following issue to solve, SSL / TLS Renegotiation DoS (low) 222.225.12.13 Ease of Exploitation Moderate Port 443/tcp Family Miscellaneous Following is the problem description:------------------ Description The remote service encrypts traffic using TLS / SSL and... (2 Replies)
Discussion started by: manalisharmabe
2 Replies

9. AIX

AIX Disable direct root login problems

I have disabled rlogin for root successfully , but after that i could not login to root from console and could not su to root from other users as it responded as expired account I did not have any admin user but I have managed to recover the situation by accessing rootvg before mounting it, but... (5 Replies)
Discussion started by: majd_ece
5 Replies

10. UNIX for Dummies Questions & Answers

Switching from root to normal user takes me to user's home dir

Whenever i switch from root to another user, by doing su - user, it takes me to home directory of user. This is very annoying as i want to be in same dir to run different commands as root sometimes and sometimes as normal user. How to fix this? (1 Reply)
Discussion started by: syncmaster
1 Replies

LEARN ABOUT DEBIAN

shell-quote

SHELL-QUOTE(1p) 					User Contributed Perl Documentation					   SHELL-QUOTE(1p)

NAME

       shell-quote - quote arguments for safe use, unmodified in a shell command

SYNOPSIS

       shell-quote [switch]... arg...

DESCRIPTION

       shell-quote lets you pass arbitrary strings through the shell so that they won't be changed by the shell.  This lets you process commands
       or files with embedded white space or shell globbing characters safely.	Here are a few examples.

EXAMPLES

       ssh preserving args
	   When running a remote command with ssh, ssh doesn't preserve the separate arguments it receives.  It just joins them with spaces and
	   passes them to "$SHELL -c".	This doesn't work as intended:

	       ssh host touch 'hi there'	   # fails

	   It creates 2 files, hi and there.  Instead, do this:

	       cmd=`shell-quote touch 'hi there'`
	       ssh host "$cmd"

	   This gives you just 1 file, hi there.

       process find output
	   It's not ordinarily possible to process an arbitrary list of files output by find with a shell script.  Anything you put in $IFS to
	   split up the output could legitimately be in a file's name.	Here's how you can do it using shell-quote:

	       eval set -- `find -type f -print0 | xargs -0 shell-quote --`

       debug shell scripts
	   shell-quote is better than echo for debugging shell scripts.

	       debug() {
		   [ -z "$debug" ] || shell-quote "debug:" "$@"
	       }

	   With echo you can't tell the difference between "debug 'foo bar'" and "debug foo bar", but with shell-quote you can.

       save a command for later
	   shell-quote can be used to build up a shell command to run later.  Say you want the user to be able to give you switches for a command
	   you're going to run.  If you don't want the switches to be re-evaluated by the shell (which is usually a good idea, else there are
	   things the user can't pass through), you can do something like this:

	       user_switches=
	       while [ $# != 0 ]
	       do
		   case x$1 in
		       x--pass-through)
			   [ $# -gt 1 ] || die "need an argument for $1"
			   user_switches="$user_switches "`shell-quote -- "$2"`
			   shift;;
		       # process other switches
		   esac
		   shift
	       done
	       # later
	       eval "shell-quote some-command $user_switches my args"

OPTIONS

       --debug
	   Turn debugging on.

       --help
	   Show the usage message and die.

       --version
	   Show the version number and exit.

AVAILABILITY

       The code is licensed under the GNU GPL.	Check http://www.argon.org/~roderick/ or CPAN for updated versions.

AUTHOR

       Roderick Schertler <roderick@argon.org>

perl v5.8.4							    2005-05-03							   SHELL-QUOTE(1p)
All times are GMT -4. The time now is 12:01 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy