|
|
Sponsored Content
Top Forums
UNIX for Dummies Questions & Answers
su permission
Post 23046 by Kelam_Magnus on Saturday 15th of June 2002 11:07:55 PM
06-16-2002
to me that is a scary proposition!! :eek:
crispexi,
That may be okay for you. However, I only have 2-4 people who need su for root to my boxes. For me that is just one more file to manage which I don't have time to manage.
I can imagine one bad scenario. In an environment that allows users to have a regular password, that type of setup can be jeopardized to gain access to root, if someone gains access to another user's password. Also, I believe that granting group permissions are considered by some to be another possible security breach.
My situation is very restrictive, such that we use one-time password at the user level and less than 5 people have root su privileges, so I don't need to manage another file for only 5 users. Also, we have standards that don't allow us to change permissions on executables that can be considered a security hole.
How many people have root that you would need to create such a file? And why do so many people have root access?
root is privileged for a reason. I hope you trust all of those people implicitly.
The bottom line is if this works for you, great. Just remember, in most cases your scenario is not feasible.
That may be okay for you. However, I only have 2-4 people who need su for root to my boxes. For me that is just one more file to manage which I don't have time to manage.
I can imagine one bad scenario. In an environment that allows users to have a regular password, that type of setup can be jeopardized to gain access to root, if someone gains access to another user's password. Also, I believe that granting group permissions are considered by some to be another possible security breach.
My situation is very restrictive, such that we use one-time password at the user level and less than 5 people have root su privileges, so I don't need to manage another file for only 5 users. Also, we have standards that don't allow us to change permissions on executables that can be considered a security hole.
How many people have root that you would need to create such a file? And why do so many people have root access?
root is privileged for a reason. I hope you trust all of those people implicitly.
The bottom line is if this works for you, great. Just remember, in most cases your scenario is not feasible.
|
|
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Ok heres the situation
I've been studying Solaris 8 for about 6 months now and some things click in my head but others don't.
One of the things that don't click are file permissions.
For example I login at work and I use the ls -l command to get a long listing of the files w/ the permissions.... (2 Replies)
Discussion started by: eloquent99
2 Replies
2. UNIX for Dummies Questions & Answers
Is it possible to set owner to a group? I need to have a group own a process, because there will be 3 diffrent persons that will start and stop this process. They can not use the same users cause och back logging. we need to know who end when a certian user start/stops processes. (1 Reply)
Discussion started by: dozy
1 Replies
3. UNIX for Dummies Questions & Answers
What does the following permission indicate?
-rwSr----- 1 oracle dba 1536 Nov 7 17:05 orapwRTMDB
Thanks,
Rahul. (1 Reply)
Discussion started by: rahulrathod
1 Replies
4. UNIX for Dummies Questions & Answers
Hi,
When I listed one directory in Sun, it showed that :
-rwsr-xr-x 1 root bsmbin 78004 Oct 21 2004 bsmprsm
I don't know meaning of the character "s" in "rws" above. I have searched in Sun admin documents but no result. Would you please explain it ? :)
Thank you so much. (1 Reply)
Discussion started by: msg098
1 Replies
5. UNIX for Dummies Questions & Answers
Hi all,
I created testuser. by following command.
/usr/sbin/adduser -n test -d /disk05/collections/GET/testdata/
and then set its password by following command.
passwd testuser
When I login to system by testuser, it enters everything is ok.
The problem is how to set permission to this... (3 Replies)
Discussion started by: mr_bold
3 Replies
6. Ubuntu
Pictures by worthamtx - Photobucket
The URL is graphic view my present concern. Old partition working great sdb1
both appear on nautilus, both deliver icons to desk top. Based on the label handling of gparted results I tried following with success
sudo mkdir /media/disk/data
sudo chown... (1 Reply)
Discussion started by: 77yrold
1 Replies
7. UNIX for Dummies Questions & Answers
Hello
Whenever we want to oen any type of file by name, we must have execute perm. in each
dir. mentioned in the name. I changed the dir permission using chmod to test the validity of this statement.
but i still can open the file
-------
any guides would be appreciable (2 Replies)
Discussion started by: dr_mabuse
2 Replies
8. UNIX for Dummies Questions & Answers
I dont understand why permission changes are being such a pain in the bum even after I manually changed them through properties....Anyone know what to do here because even thoguh in properties the permissions make me local admin over in the Cygwin its not working..
... (5 Replies)
Discussion started by: okhawaja
5 Replies
9. Linux
I am using korn shell
When I type in Telnet on cmd line, I get message
"cannot execute"
How can I get permission to execute command ? In which dir is telnet located ? I looked in /usr/bin dir. but its not there
Thanks (1 Reply)
Discussion started by: paramshamnani
1 Replies
10. Ubuntu
Trying to get date into the txt file.
It says
Permission denied.
echo $(date +%I:%M:%S_%D) >> /tmp/systemd_suspend_test_err.txt
exec 2>> /tmp/systemd_suspend_test_err.txt
if ; then
# Do the thing you want before suspend here
echo "we are suspending $(date +%I:%M:%S_%D)."
elif ;... (5 Replies)
Discussion started by: drew77
5 Replies
LEARN ABOUT ULTRIX
gshadow
GSHADOW(5) File Formats and Conversions GSHADOW(5) NAME
gshadow - shadowed group file DESCRIPTION
/etc/gshadow contains the shadowed information for group accounts. This file must not be readable by regular users if password security is to be maintained. Each line of this file contains the following colon-separated fields: group name It must be a valid group name, which exist on the system. encrypted password Refer to crypt(3) for details on how this string is interpreted. If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, users will not be able to use a unix password to access the group (but group members do not need the password). The password is used when a user who is not a member of the group wants to gain the permissions of this group (see newgrp(1)). This field may be empty, in which case only the group members can gain the group permissions. A password field which starts with an exclamation mark means that the password is locked. The remaining characters on the line represent the password field before the password was locked. This password supersedes any password specified in /etc/group. administrators It must be a comma-separated list of user names. Administrators can change the password or the members of the group. Administrators also have the same permissions as the members (see below). members It must be a comma-separated list of user names. Members can access the group without being prompted for a password. You should use the same list of users as in /etc/group. FILES
/etc/group Group account information. /etc/gshadow Secure group account information. SEE ALSO
gpasswd(5), group(5), grpck(8), grpconv(8), newgrp(1). shadow-utils 4.5 01/25/2018 GSHADOW(5)