Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Prevent user from creating new user from his login
Top Forums UNIX for Advanced & Expert Users Prevent user from creating new user from his login Post 303032250 by rbatte1 on Thursday 14th of March 2019 07:54:07 AM
Old 03-14-2019
I know this might be a daft question, but why would you want to share a very powerful account with someone else but leave one thing out. Either you trust them, or you don't. Don't give privileges to anyone for anything unless you are happy that they are safe to do the thing and that they can't escape and do something else.

I might be paranoid, but not only did we keep all users as 'ordinary' and with (full path) scripted sudo rules but for things with user accounts (even password resets) we intercepted the official code and added our own logging. People in the security group which are already allowed to do such things ended up being logged so we could at least trace it back. You learn to be paranoid in a financial company where someone managed to get another user's password rest and then performed fraudulent actions (i.e. I've seen the death certificate, pay out the life assurance) as someone else.


Basically, only give the minimum required to do the job. Don't just allow them in with total access if they don't need it or because it's convenient and saves having to define appropriate security rules on your data.

Security is usually like birth control methods - people don't like them and try to avoid using them but if you get caught out, it is too late. Prevention (or abstinence) is better than remedial action or just living with the consequences.

You need to ask yourself very carefully what they actually need. Be extremely cautious.


Just my thoughts.


Can you tell us more about what they really need to do?

Robin
These 2 Users Gave Thanks to rbatte1 For This Post:
Don Cragun wisecracker
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Creating a user that can't login

I need to set up/modify a user account on one of our machines which will allow the user to stay on the system, but not use their user id and password to login to the machine. It is for the purposes of an ftp user, so that nobody can then login as ftp/passwd. Ta.:) (2 Replies)
Discussion started by: danhodges99
2 Replies

2. AIX

Limiting length of user in while creating user

Hi all, I am a newbe to aix 5.2. I want to specify the characters used by users while creating user in aix like specifying the length of the password should i use some sript for that if it is then please let me know how to do this if yes give me the link for the scripts. Thanks in advance ... (2 Replies)
Discussion started by: Satya Mishra
2 Replies

3. UNIX for Dummies Questions & Answers

I create user but i cant login the user i created.

I created a user, i login as a root. I add him in the group where he can access and login as a root! I checked it in users' list and in group's list, he is there. My problem is this, I cant login using the username/account I just created! What should i do to use and login the user/account i've just... (5 Replies)
Discussion started by: jerome
5 Replies

4. Shell Programming and Scripting

Running script from other user rather than login user

Hi, My requirement is that i am login from ROOT in a script but when any command is coming which is logging to sqlplus then i have to run it with normal user as only normal user have permission to connect to sqlplus . i tried making a script like this : #! /bin/ksh su -... (3 Replies)
Discussion started by: rawatds
3 Replies

5. Cybersecurity

prevent user from excute command

Dears I want to prevent users from doing spesific command "history -c" or "history" in general How can I do ? (4 Replies)
Discussion started by: reaky
4 Replies

6. IP Networking

how to prevent a user from downloading on lan

hi all, i want to prevent users downloading files in the office as bandwidth becomes very low and affects work. one of my friend tried to close the connection using ethercap but this does not work. i have a debian desktop while other users use MS W!ndows. Please provide any help. Thanks (5 Replies)
Discussion started by: coolatt
5 Replies

7. Shell Programming and Scripting

How to Login as another user through Shell script from current user[Not Root]

Hi Every body, I would need a shell script program to login as different user and perform some copy commands in the script. example: Supppose ora_toms is the active user ora_toms should be able to run a script where user: ftptomsp pass: XXX should login through and run the commands ... (9 Replies)
Discussion started by: ujjwal27
9 Replies

8. Shell Programming and Scripting

Login into another user from user inside script

now i have logged in username : ramesh in unix Now i have to created script file to login into another user and have run a command inside that user and after executing the command i have to exit from that user. Inside script, i have to login into su - ram along with password : haihow and have to... (4 Replies)
Discussion started by: rammm
4 Replies

9. Shell Programming and Scripting

Prevent the user from changing his directory

Hi could some let me know how to prevent user from changing his home directory....... Thanks in advance.... (1 Reply)
Discussion started by: Revanth547
1 Replies

10. Shell Programming and Scripting

Prevent the user from changing his directory

Hi could some let me know how to prevent user from changing his home directory....... Thanks in advance.... (6 Replies)
Discussion started by: rahul547
6 Replies

LEARN ABOUT DEBIAN

eurephiadm-users

eurephiadm users(7)													       eurephiadm users(7)

NAME

       eurephiadm-users - User management module

SYNOPSIS

       eurephiadm users --list|-l [-S|--sort <sort keys>]
       eurephiadm  users  --show|-s  [-i|--uid	<user  id>]  [-u|--username  <user  name>]  [-l|-|-lastlog] [-L|--lastlog-details] [-a|--attempts]
       [-b|--blacklist]
       eurephiadm users --activate|-a [-i|--uid <user id>] [-u|--username <user name>]
       eurephiadm users --deactivate|-d [-i|--uid <user id>] [-u|--username <user name>]
       eurephiadm users --add|-A [-u|--username <user name>] [-P|--password <plain text password>]  [-C|--certid  <certificate	ID>]  [-D|--digest
       <certificate SHA1 digest>] [-c|--certfile <certificate file>] [-2|--pkcs12]
       eurephiadm users --delete|-D [-i|--uid <user id>] [-u|--username <user name>]
       eurephiadm users --password|-p [-i|--uid <user id>] [-u|--username <user name>]
       eurephiadm users [-h|--help [<mode>]]

DESCRIPTION

       eurephiadm users manages eurephia user accounts.  It provides an interface for listing, creating new, modify and delete user accounts.

MODES

   Available modes:
       -l | --list
	      [-S|--sort <sort keys>]
	      List all user accounts. Providing -S|--sort and a sort key will define the sort order of the list.  Valid sort keys are:

	      uid - user ID
	      username - User name belonging to the user account
	      activated - When the user account was activated
	      deactivated - When the user account was deactivated
	      lastaccess - When the user account was last used

       -s | --show
	      [-i|--uid <user id>] [-u|--username <user name>] [-l|--lastlog] [-L|--lastlog-details] [-a|--attempts] [-b|--blacklist]
	      Show user account details.  --uid or --username are required.  The other arguments only defined which kind of information to show.

       -a | --activate
	      [-i|--uid <user id>] [-u|--username <user name>]
	      Activate a user account.	--uid or --username is required.

       -d | --deactivate
	      [-i|--uid <user id>] [-u|--username <user name>]
	      Deactivate a user account.  --uid or --username is required.

       -A | --add
	      [-u|--username  <user  name>]  [-P|--password  <plain  text password>] [-C|--certid <certificate ID>] [-D|--digest <certificate SHA1
	      digest>] [-c|--certfile <certificate file>] [-2|--pkcs12]
	      Add a new user account.  --username is required.	 If you want to assign a password for the new user account via the  command  line,
	      provide the password with --password.

	      To  associate this user account against an already regstistered certificate, it can be done by either refering to the certificate ID
	      in eurephia using --certid or providing the certificate SHA1 digest/fingerprint to --digest.

	      A brand new certificate can be registered and linked to the user account directly if you have access to the certificate  file.   The
	      file  can  be  in either PEM/DER format or PKCS#12.  Use --certfile to indicate the certificate file to extract the information from
	      and --pkcs12 if it is a PKCS#12 file.

       -D | --delete
	      [-i|--uid <user id>] [-u|--username <user name>]
	      Delete a user account.  --uid or --username is required.

       -p | --password
	      [-i|--uid <user id>] [-u|--username <user name>]
	      Change password on a user account.  --uid or --username is required.

       -h | --help
	      [<mode>]
	      Show a help screen.  Without any arguments, all modes are listed.  Providing a mode will show  more  information	about  the  chosen
	      mode.

SEE ALSO

       eurephiadm(7), eurephiadm-certs(7)

AUTHOR

       Copyright (C) 2008-2010	David Sommerseth <dazo@users.sourceforge.net>

David Sommerseth						     July 2010						       eurephiadm users(7)
All times are GMT -4. The time now is 03:13 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy