Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Prevent user from creating new user from his login
Top Forums UNIX for Advanced & Expert Users Prevent user from creating new user from his login Post 303032250 by rbatte1 on Thursday 14th of March 2019 07:54:07 AM
Old 03-14-2019
I know this might be a daft question, but why would you want to share a very powerful account with someone else but leave one thing out. Either you trust them, or you don't. Don't give privileges to anyone for anything unless you are happy that they are safe to do the thing and that they can't escape and do something else.

I might be paranoid, but not only did we keep all users as 'ordinary' and with (full path) scripted sudo rules but for things with user accounts (even password resets) we intercepted the official code and added our own logging. People in the security group which are already allowed to do such things ended up being logged so we could at least trace it back. You learn to be paranoid in a financial company where someone managed to get another user's password rest and then performed fraudulent actions (i.e. I've seen the death certificate, pay out the life assurance) as someone else.


Basically, only give the minimum required to do the job. Don't just allow them in with total access if they don't need it or because it's convenient and saves having to define appropriate security rules on your data.

Security is usually like birth control methods - people don't like them and try to avoid using them but if you get caught out, it is too late. Prevention (or abstinence) is better than remedial action or just living with the consequences.

You need to ask yourself very carefully what they actually need. Be extremely cautious.


Just my thoughts.


Can you tell us more about what they really need to do?

Robin
These 2 Users Gave Thanks to rbatte1 For This Post:
Don Cragun wisecracker
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Creating a user that can't login

I need to set up/modify a user account on one of our machines which will allow the user to stay on the system, but not use their user id and password to login to the machine. It is for the purposes of an ftp user, so that nobody can then login as ftp/passwd. Ta.:) (2 Replies)
Discussion started by: danhodges99
2 Replies

2. AIX

Limiting length of user in while creating user

Hi all, I am a newbe to aix 5.2. I want to specify the characters used by users while creating user in aix like specifying the length of the password should i use some sript for that if it is then please let me know how to do this if yes give me the link for the scripts. Thanks in advance ... (2 Replies)
Discussion started by: Satya Mishra
2 Replies

3. UNIX for Dummies Questions & Answers

I create user but i cant login the user i created.

I created a user, i login as a root. I add him in the group where he can access and login as a root! I checked it in users' list and in group's list, he is there. My problem is this, I cant login using the username/account I just created! What should i do to use and login the user/account i've just... (5 Replies)
Discussion started by: jerome
5 Replies

4. Shell Programming and Scripting

Running script from other user rather than login user

Hi, My requirement is that i am login from ROOT in a script but when any command is coming which is logging to sqlplus then i have to run it with normal user as only normal user have permission to connect to sqlplus . i tried making a script like this : #! /bin/ksh su -... (3 Replies)
Discussion started by: rawatds
3 Replies

5. Cybersecurity

prevent user from excute command

Dears I want to prevent users from doing spesific command "history -c" or "history" in general How can I do ? (4 Replies)
Discussion started by: reaky
4 Replies

6. IP Networking

how to prevent a user from downloading on lan

hi all, i want to prevent users downloading files in the office as bandwidth becomes very low and affects work. one of my friend tried to close the connection using ethercap but this does not work. i have a debian desktop while other users use MS W!ndows. Please provide any help. Thanks (5 Replies)
Discussion started by: coolatt
5 Replies

7. Shell Programming and Scripting

How to Login as another user through Shell script from current user[Not Root]

Hi Every body, I would need a shell script program to login as different user and perform some copy commands in the script. example: Supppose ora_toms is the active user ora_toms should be able to run a script where user: ftptomsp pass: XXX should login through and run the commands ... (9 Replies)
Discussion started by: ujjwal27
9 Replies

8. Shell Programming and Scripting

Login into another user from user inside script

now i have logged in username : ramesh in unix Now i have to created script file to login into another user and have run a command inside that user and after executing the command i have to exit from that user. Inside script, i have to login into su - ram along with password : haihow and have to... (4 Replies)
Discussion started by: rammm
4 Replies

9. Shell Programming and Scripting

Prevent the user from changing his directory

Hi could some let me know how to prevent user from changing his home directory....... Thanks in advance.... (1 Reply)
Discussion started by: Revanth547
1 Replies

10. Shell Programming and Scripting

Prevent the user from changing his directory

Hi could some let me know how to prevent user from changing his home directory....... Thanks in advance.... (6 Replies)
Discussion started by: rahul547
6 Replies

LEARN ABOUT DEBIAN

logcheck

Logcheck(8)						      System Manager's Manual						       Logcheck(8)

NAME

       logcheck -- program to scan system logs for interesting lines

SYNOPSIS

       logcheck [OPTIONS]

DESCRIPTION

       The  logcheck  program helps spot problems and security violations in your logfiles automatically and will send the results to you periodi-
       cally in an e-mail. By default logcheck runs as an hourly cronjob just off the hour and after every reboot.

       logcheck supports three level of filtering: "paranoid" is for high-security machines running as few services as possible. Don't use  it	if
       you  can't handle its verbose messages.	"server" is the default and contains rules for many different daemons.	"workstation" is for shel-
       tered machines and filters most of the messages.  The ignore rules work in additive manner. "paranoid" rules are  also  included  at  level
       "server". "workstation" level includes both "paranoid" and "server" rules.

       The  messages  reported	are  sorted into three layers, system events, security events and attack alerts. The verbosity of system events is
       controlled by which level you choose, paranoid, server or workstation.  However, security events and attack  alerts  are  not  affected	by
       this.

EXAMPLES

       logcheck  can  be  invoked directly thanks to su(8) or sudo(8), which change the user ID. The following example checks the logfiles without
       updating the offset and outputs everything to STDOUT.

       sudo -u logcheck logcheck -o -t

OPTIONS

       A summary of options is included below.

       -c CFG	 Overrule default configuration file.

       -d	 Debug mode.

       -h	 Show usage information.

       -H	 Use this hostname string in the subject of logcheck mail.

       -l LOG	 Run logfile through logcheck.

       -L CFG	 Overrule default logfiles list.

       -m	 Mail report to recipient.

       -o	 STDOUT mode, not sending mail.

       -p	 Set the report level to "paranoid".

       -r DIR	 Overrule default rules directory.

       -R	 Adds "Reboot:" to the email subject line.

       -s	 Set the report level to "server".

       -S DIR	 Overrule default state directory.

       -t	 Testing mode does not update offset.

       -T	 Do not remove the TMPDIR.

       -u	 Enable syslog-summary.

       -v	 Print current version.

       -w	 Set the report level to "workstation".

FILES

       /etc/logcheck/logcheck.conf is the main configuration file.

       /etc/logcheck/logcheck.logfiles is the list of files to monitor.

       /usr/share/doc/logcheck-database/README.logcheck-database.gz for hints on how to write, test and maintain rules.

EXIT STATUS

       0 upon success; 1 upon failure

SEE ALSO

       logtail(8)

AUTHOR

       logcheck is developed by Debian logcheck Team at alioth: http://alioth.debian.org/projects/logcheck/.

       This manual page was written by Jon Middleton.

																       Logcheck(8)
All times are GMT -4. The time now is 10:59 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy