02-12-2002
Root logins are generally considered to be a major no-no, for the very reason you state in your post. It is time consuming and sometimes difficult to determine who logged in as "root" at a given time, especially when 20 or more people have root access to your boxes. You may be able to sort it out but its not going to be fun.
The simple way to solve your main problem is to disallow root logins and force users to use su or sudo. Assuming they all need root access (doubtful but possible). When root access is needed for more than one command su leaves a message in the system log stating the user who su'd and the terminal they did it from.
10 More Discussions You Might Find Interesting
1. IP Networking
hi everybody ,
i have a solaris 5.6 box and i want to trace the route on an ip i treid traceroute but soalris 5.6 does not support it ...
is there a command that can be used equivelent to traceroute ?
thanks for your help (2 Replies)
Discussion started by: ppass
2 Replies
2. Shell Programming and Scripting
Does anyone know if there is a util out there to run through a shell script and be able to trace the function call tree. I have inherited some code and the original author was ****mad**** keen on functions - even ones called only once!
If anyone knows of anything I would appreciate it - web... (3 Replies)
Discussion started by: ajcannon
3 Replies
3. UNIX for Dummies Questions & Answers
Can someone help me with commands to trace DHCP on an HP_UX box?
Thanks! (0 Replies)
Discussion started by: nuGuy
0 Replies
4. HP-UX
Hi,
Last day, In one of our unix boxes there was an issue wherein few of the directory structures were missing / got deleted.
Is there any way by which we can find how it happened, I mean by going through syslog / which user had run what command?
Thanks for your help (3 Replies)
Discussion started by: vivek_damodaran
3 Replies
5. HP-UX
on HP-Unix how can i trace user for example "xxx999" ? (4 Replies)
Discussion started by: salhoub
4 Replies
6. Shell Programming and Scripting
Hi
I am working in ksh and getting the trace after trying to remove the file which in some cases does not exist:
$ my_script
loadfirm.dta.master: No such file or directory
The code inside the script which produces this trace is the following:
] || rm ${FILE}.master >> /dev/null
for... (3 Replies)
Discussion started by: aoussenko
3 Replies
7. Solaris
Hi
I would like to display only error messages from my log files while monotring application on my solaris box using tail command.
Is there other way we can monitor please let me know?
In general # tail -f "xyz.log' ---> this will display current activity of the logs, instead i would like... (4 Replies)
Discussion started by: gkrishnag
4 Replies
8. UNIX for Dummies Questions & Answers
Hi,
I am an oracle DBA pretty new to unix. We had one of the filesystems full and a colleague cleared some stuffs to create more space. I just checked now and found there is now more space available. How do i find exactly what he cleared? We have oracle database installed and its a RAC... (4 Replies)
Discussion started by: dollypee
4 Replies
9. Shell Programming and Scripting
Hi All
Thought it would be kind of fun to implement a stack trace for a shell script that calls functions within a sub shell. This is for bash under Linux and probably not portable -
#! /bin/bash
error_exit()
{
echo "======================="
echo $1
echo... (4 Replies)
Discussion started by: steadyonabix
4 Replies
10. AIX
Hi,
is it possible to trace everything about user that changes from its own user to root user, failed and successful attempts (I would need user and IP address of user that was trying to do that)?
I tried adding auth.notice and auth.info in syslog.conf but it only tracks user withoud IP... (6 Replies)
Discussion started by: sprehodec
6 Replies
LEARN ABOUT LINUX
sudo_root
sudo_root(8) System Manager's Manual sudo_root(8)
NAME
sudo_root - How to run administrative commands
SYNOPSIS
sudo command
sudo -i
INTRODUCTION
By default, the password for the user "root" (the system administrator) is locked. This means you cannot login as root or use su. Instead,
the installer will set up sudo to allow the user that is created during install to run all administrative commands.
This means that in the terminal you can use sudo for commands that require root privileges. All programs in the menu will use a graphical
sudo to prompt for a password. When sudo asks for a password, it needs your password, this means that a root password is not needed.
To run a command which requires root privileges in a terminal, simply prepend sudo in front of it. To get an interactive root shell, use
sudo -i.
ALLOWING OTHER USERS TO RUN SUDO
By default, only the user who installed the system is permitted to run sudo. To add more administrators, i. e. users who can run sudo, you
have to add these users to the group 'admin' by doing one of the following steps:
* In a shell, do
sudo adduser username admin
* Use the graphical "Users & Groups" program in the "System settings" menu to add the new user to the admin group.
BENEFITS OF USING SUDO
The benefits of leaving root disabled by default include the following:
* Users do not have to remember an extra password, which they are likely to forget.
* The installer is able to ask fewer questions.
* It avoids the "I can do anything" interactive login by default - you will be prompted for a password before major changes can happen,
which should make you think about the consequences of what you are doing.
* Sudo adds a log entry of the command(s) run (in /var/log/auth.log).
* Every attacker trying to brute-force their way into your box will know it has an account named root and will try that first. What they do
not know is what the usernames of your other users are.
* Allows easy transfer for admin rights, in a short term or long term period, by adding and removing users from the admin group, while not
compromising the root account.
* sudo can be set up with a much more fine-grained security policy.
* On systems with more than one administrator using sudo avoids sharing a password amongst them.
DOWNSIDES OF USING SUDO
Although for desktops the benefits of using sudo are great, there are possible issues which need to be noted:
* Redirecting the output of commands run with sudo can be confusing at first. For instance consider
sudo ls > /root/somefile
will not work since it is the shell that tries to write to that file. You can use
ls | sudo tee /root/somefile
to get the behaviour you want.
* In a lot of office environments the ONLY local user on a system is root. All other users are imported using NSS techniques such as
nss-ldap. To setup a workstation, or fix it, in the case of a network failure where nss-ldap is broken, root is required. This tends to
leave the system unusable. An extra local user, or an enabled root password is needed here.
GOING BACK TO A TRADITIONAL ROOT ACCOUNT
This is not recommended!
To enable the root account (i.e. set a password) use:
sudo passwd root
Afterwards, edit the sudo configuration with sudo visudo and comment out the line
%admin ALL=(ALL) ALL
to disable sudo access to members of the admin group.
SEE ALSO
sudo(8), https://wiki.ubuntu.com/RootSudo
February 8, 2006 sudo_root(8)