03-14-2019
I know this might be a daft question, but why would you want to share a very powerful account with someone else but leave one thing out. Either you trust them, or you don't. Don't give privileges to anyone for anything unless you are happy that they are safe to do the thing and that they can't escape and do something else.
I might be paranoid, but not only did we keep all users as 'ordinary' and with (full path) scripted sudo rules but for things with user accounts (even password resets) we intercepted the official code and added our own logging. People in the security group which are already allowed to do such things ended up being logged so we could at least trace it back. You learn to be paranoid in a financial company where someone managed to get another user's password rest and then performed fraudulent actions (i.e. I've seen the death certificate, pay out the life assurance) as someone else.
Basically, only give the minimum required to do the job. Don't just allow them in with total access if they don't need it or because it's convenient and saves having to define appropriate security rules on your data.
Security is usually like birth control methods - people don't like them and try to avoid using them but if you get caught out, it is too late. Prevention (or abstinence) is better than remedial action or just living with the consequences.
You need to ask yourself very carefully what they actually need. Be extremely cautious.
Just my thoughts.
Can you tell us more about what they really need to do?
Robin
These 2 Users Gave Thanks to rbatte1 For This Post:
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
I need to set up/modify a user account on one of our machines which will allow the user to stay on the system, but not use their user id and password to login to the machine. It is for the purposes of an ftp user, so that nobody can then login as ftp/passwd. Ta.:) (2 Replies)
Discussion started by: danhodges99
2 Replies
2. AIX
Hi all,
I am a newbe to aix 5.2. I want to specify the characters used by users while creating user in aix like specifying the length of the password
should i use some sript for that if it is then please let me know how to do this
if yes give me the link for the scripts.
Thanks in advance
... (2 Replies)
Discussion started by: Satya Mishra
2 Replies
3. UNIX for Dummies Questions & Answers
I created a user, i login as a root. I add him in the group where he can access and login as a root! I checked it in users' list and in group's list, he is there. My problem is this, I cant login using the username/account I just created! What should i do to use and login the user/account i've just... (5 Replies)
Discussion started by: jerome
5 Replies
4. Shell Programming and Scripting
Hi,
My requirement is that i am login from ROOT in a script but when any
command is coming which is logging to sqlplus then i have to run it with normal user as only normal user have permission to connect to sqlplus .
i tried making a script like this :
#! /bin/ksh
su -... (3 Replies)
Discussion started by: rawatds
3 Replies
5. Cybersecurity
Dears
I want to prevent users from doing spesific command "history -c" or "history" in general
How can I do ? (4 Replies)
Discussion started by: reaky
4 Replies
6. IP Networking
hi all,
i want to prevent users downloading files in the office as bandwidth becomes very low
and affects work.
one of my friend tried to close the connection using ethercap but this does not work.
i have a debian desktop while other users use MS W!ndows.
Please provide any help. Thanks (5 Replies)
Discussion started by: coolatt
5 Replies
7. Shell Programming and Scripting
Hi Every body,
I would need a shell script program to login as different user and perform some copy commands in the script.
example: Supppose ora_toms is the active user
ora_toms should be able to run a script where user: ftptomsp pass: XXX should login through and run the commands
... (9 Replies)
Discussion started by: ujjwal27
9 Replies
8. Shell Programming and Scripting
now i have logged in username : ramesh in unix
Now i have to created script file to login into another user and have run a command inside that user and after executing the command i have to exit from that user.
Inside script, i have to login into su - ram along with password : haihow and have to... (4 Replies)
Discussion started by: rammm
4 Replies
9. Shell Programming and Scripting
Hi could some let me know how to prevent user from changing his home directory.......
Thanks in advance.... (1 Reply)
Discussion started by: Revanth547
1 Replies
10. Shell Programming and Scripting
Hi could some let me know how to prevent user from changing his home directory.......
Thanks in advance.... (6 Replies)
Discussion started by: rahul547
6 Replies
LEARN ABOUT DEBIAN
pam_pwcheck
pam_pwcheck(8) Reference Manual pam_pwcheck(8)
NAME
pam_pwcheck - PAM module for password strength checking
DESCRIPTION
The pam_pwcheck is a PAM module for password strength checking. It makes additional checks upon password changes, but does not perform the
change itself. It only provides functionality for one PAM management group: password changing.
This module works in the following manner: if enabled, it first calls the Cracklib routine to check the strength of the password; if crack
likes the password, the module does an additional set of strength checks. These checks are:
Palindrome
Is the new password a palindrome of the old one?
Case Change Only
Is the new password the old one with only a change of case?
Similar
Is the new password too similar to old one?
Simple Is the new password too short?
Rotated
Is the new password a rotated version of the old password?
Already used
Was the password used in the past? Previously used passwords are to be found in /etc/security/opasswd.
OPTIONS
The following options may be passed to the module:
cracklib=<path to dictionaries>
Use cracklib library for password checks. This parameter also contains the path to the cracklib dictionaries. The default is
/usr/lib/cracklib_dict.
debug A lot of debug information is printed with syslog(3).
maxlen=number
Number of significant characters in the password for crypt(3). A value of zero suppresses this check. The default is 0.
minlen=number
The minimum number of characters in an acceptable password. A new password with fewer characters will be rejected. A value of zero
suppresses this check. The default is 5.
no_obscure_checks
No additional checks will be performed before a new password is accepted. Since the checks performed are fairly simple, their usage
is recommended.
not_set_pass
If this option is given, pam_pwcheck will not make the new password available for other modules.
nullok Normally the account is disabled if no password is set or if the length of the password is zero. With this option you can allow the
user to change his password for such accounts. This option does not overwrite a hardcoded default by the calling process.
tries=number
Maximum number of attempts to change a password if the new ones are rejected because they are too easy.
use_authtok
Set the new password to the one provided by the previously stacked password module. If this option is not set, pam_pwcheck will ask
the user for the new password.
use_first_pass
By default pam_pwcheck tries to get the authentication token from a previous module. If no token is available, the user is asked
for the old password. With this option, pam_pwcheck aborts with an error if no authentication token from a previous module is
available.
remember=XX
Remember the last XX passwords and do not allow the user to reuse any of these for the next XX password changes. XX is a number
between 1 and 400.
enforce_for_root
If this option is set, most of the password check rules are enforced for root, too. Never use this option if you don't know what
you are doing, since it could be as result that root is no longer allowed to login at all.
FILES
/etc/security/opasswd
SEE ALSO
passwd(1), pam.conf(8), pam.d(8), pam(8), rpasswd(1), rpasswdd(8), rpc.yppasswdd(8), yppasswd(1)
pam_pwcheck September 2008 pam_pwcheck(8)