Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Best practices for sugroups for root ? backdoor user access ?
Operating Systems AIX Best practices for sugroups for root ? backdoor user access ? Post 303020452 by maraixadm on Thursday 19th of July 2018 06:01:40 PM
Old 07-19-2018
Best practices for sugroups for root ? backdoor user access ?
greetings, just ran across a fun situation we had overlooked.

We have a backdoor user, no special privileges, which we put on every server so that anyone in the shop can get in (passwd in vault) if they need to, even if they don't have a local account on that server. The point of course is to be able to administer when there's a problem and the primary owners aren't available, etc. So su or sudo is a requirement.

The culture here places a high value on audit, the backdoor user is anonymous, and so it doesn't get to be in /etc/sudoers by policy. So it must be able to use 'su' (and thus require the local root pw which is also in the password vault).

We just found that on some servers, sugroups=system for root, the backdoor user is not in system group, so it can't su. Thus disabling its reason for existence.

The backdoor user should of course not be in system group; a cursory glance at /usr/sbin shows the variety of commands that are restricted to system, etc. etc.

Anyone want to suggest a good solution for this thought exercise ?

Simplistically, if sugroups=system is desirable for root (where in this shop userIDs corresponding to real humans may be put in system group to allow them to e.g. do NFS mounts on the fly) then one could add a second group with the singular purpose of authorizing access to su to root, and put the backdoor user in it, and put it in sugroups for root, i.e. sugroups=system,rootsu .

Has someone encountered this before and solved it to your satisfaction, or want to try their hand at the security math here to determine how elaborate the solution has to be ?

If best practices here are well-known, pardon my ignorance, pls share.

TIA !

Here's an IBM DevWorks discussion, it addresses some of the above, quite well: Controlling su access with sugroups
Last edited by maraixadm; 07-19-2018 at 07:07 PM..
 

10 More Discussions You Might Find Interesting

1. HP-UX

user commands without root access

Hi I have been asked to find out how to 1) create users 2) reset passwords 3) kill processes that may require root privileges without having root password, sudo rights or rights to passwd command Any ideas? Thanks in advance (1 Reply)
Discussion started by: emealogistics
1 Replies

2. Solaris

I can not access root user through LAN

Dear i have installed Solaris 10 on SUN V240 after installation i can not access system through root user if i access system through any other user it conects but root is not connecting through LAN if i connect through SC and then access root though cosole -f command it also works kindly... (6 Replies)
Discussion started by: rizwan225
6 Replies

3. Shell Programming and Scripting

access user history as root

Hi, I need to access a user's command history. However, the dilemma is that he is logged in and so his current history is not yet flushed to .bash_history file which gets flushed when he logs out. Is there a way I can still access his most recent history? thank you, S (4 Replies)
Discussion started by: sardare
4 Replies

4. UNIX for Dummies Questions & Answers

How to allow access to some commands having root privleges to be run bu non root user

hi i am new to unix and i have abig task. i have to \run particular commands having root privileges from a non root user. i know sudo is one of the way but i need sum other approach kindly help Thanks (5 Replies)
Discussion started by: suryashikha
5 Replies

5. Shell Programming and Scripting

Urgent Help...Pseudo-Device provides a Backdoor Entry to root.

Can Anybody help to create a pseudo-device and write a device driver for it. The pseudo-device provides a “backdoor” for gaining root access for a particular user. Instead of compiling the device driver into the kernel. Modules are object binaries that can be dynamically loaded into the kernel. ... (1 Reply)
Discussion started by: nyjilgeorge1
1 Replies

6. Homework & Coursework Questions

The pseudo-device provides a “backdoor” for gaining root access for a particular user.

Problem statement. In this part of the assignment, delegates will create a pseudo-device and write a device driver for it. The pseudo-device provides a “backdoor” for gaining root access for a particular user. Instead of compiling the device driver into the kernel, delegate will create a module.... (1 Reply)
Discussion started by: nyjilgeorge1
1 Replies

7. Cybersecurity

Linux Universal Packet/Ham Radio Backdoor - root!

Tails (LiveCD) is crap, and I'm being nice here. Bloated, contains HAMRADIO and PACKET RADIO modules which no one in their right mind would use on a distro aimed at Tor use, I don't even believe 1% of Linux users use them, yet they're generated right there in the directories. Google about ham radio... (0 Replies)
Discussion started by: chipinmybrain
0 Replies

8. Shell Programming and Scripting

How to give root access to non root user?

Currently in my system Red Hat is installed. And Many user connect to my machine via SSH Techia Terminal. I want to give some users a root level access. Can anyone please help me how to make it possible. I too searched on the Google but didn't find the correct way Regards ADI (4 Replies)
Discussion started by: adisky123
4 Replies

9. Solaris

Sudo access of rm to non-root user

Hello, It is Solaris-10. There is a file as /opt/vpp/dom1.2/pdd/today_23. It is always generated by root, so owned by root only. This file has to be deleted as part of application restart always and that is done by app_user and SA is always involved to do rm on that file. Is it possible to give... (9 Replies)
Discussion started by: solaris_1977
9 Replies

10. UNIX for Advanced & Expert Users

Non root user access to /dev/mem

Hi All, I have to install an application which needs access to system BIOS information. The application needs to be installed by non root user. How would i grant read privileges of /dev/mem file to the non root user so that it can capture system BIOS information while running the application?... (13 Replies)
Discussion started by: Soumyadip Dutta
13 Replies

LEARN ABOUT CENTOS

groupmems

GROUPMEMS(8)						    System Management Commands						      GROUPMEMS(8)

NAME

       groupmems - administer members of a user's primary group

SYNOPSIS

       groupmems -a user_name | -d user_name | [-g group_name] | -l | -p

DESCRIPTION

       The groupmems command allows a user to administer his/her own group membership list without the requirement of superuser privileges. The
       groupmems utility is for systems that configure its users to be in their own name sake primary group (i.e., guest / guest).

       Only the superuser, as administrator, can use groupmems to alter the memberships of other groups.

OPTIONS

       The options which apply to the groupmems command are:

       -a, --add user_name
	   Add an user to the group membership list.

	   If the /etc/gshadow file exist, and the group has no entry in the /etc/gshadow file, a new entry will be created.

       -d, --delete user_name
	   Delete a user from the group membership list.

	   If the /etc/gshadow file exist, the user will be removed from the list of members and administrators of the group.

	   If the /etc/gshadow file exist, and the group has no entry in the /etc/gshadow file, a new entry will be created.

       -g, --group group_name
	   The superuser can specify which group membership list to modify.

       -h, --help
	   Display help message and exit.

       -l, --list
	   List the group membership list.

       -p, --purge
	   Purge all users from the group membership list.

	   If the /etc/gshadow file exist, and the group has no entry in the /etc/gshadow file, a new entry will be created.

       -R, --root CHROOT_DIR
	   Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory.

SETUP

       The groupmems executable should be in mode 2770 as user root and in group groups. The system administrator can add users to group groups to
       allow or disallow them using the groupmems utility to manage their own group membership list.

		$ groupadd -r groups
		$ chmod 2770 groupmems
		$ chown root.groups groupmems
		$ groupmems -g groups -a gk4

CONFIGURATION

       The following configuration variables in /etc/login.defs change the behavior of this tool:

       MAX_MEMBERS_PER_GROUP (number)
	   Maximum members per group entry. When the maximum is reached, a new group entry (line) is started in /etc/group (with the same name,
	   same password, and same GID).

	   The default value is 0, meaning that there are no limits in the number of members in a group.

	   This feature (split group) permits to limit the length of lines in the group file. This is useful to make sure that lines for NIS
	   groups are not larger than 1024 characters.

	   If you need to enforce such limit, you can use 25.

	   Note: split groups may not be supported by all tools (even in the Shadow toolsuite). You should not use this variable unless you really
	   need it.

FILES

       /etc/group
	   Group account information.

       /etc/gshadow
	   secure group account information

SEE ALSO

       chfn(1), chsh(1), passwd(1), groupadd(8), groupdel(8), useradd(8), userdel(8), usermod(8).

shadow-utils 4.1.5.1						    05/25/2012							      GROUPMEMS(8)
All times are GMT -4. The time now is 08:53 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy