I am sorry but this is worst idea that you can have....
Let me give some examples how you can gain root privileges:
vi - is having possibility to go out to shell..with root access or you cann edit any file
smitty - the same thin on each moment you can press F9 and go to shell
find - command has also privileges to execute commands as root (look for exec in man)
cat - using this command you can overwrite any file and then usi it to execute any command on system
chuser - with this command you can change any user parameters including root
All those commands looks harmless but you can use them to gain root privileges.
In my opinion or you are giving privileges to people that you can trust or you are not giving them privileges at all.
Any half way just creates risk to you.
If you have some application teams that you do not want to give root access just give them access to sudo su - to specific application user if they need more privileges they should ask you for help
You can use the Cmnd_Alias in the following to assign to a specific or a group of users:
Code:
idadmin ALL=NOPASSWD: IDADMIN
# for a group use % sign in front of the group name
%idadmingr ALL=NOPASSWD: IDADMIN
NOPASSWD simply tells that user do not need to enter password while using sudo. If not needed in your case, do not use it.
zaxxon,
Yes, even I would vote for RBAC but keeping in mind that there are still a lot of 5L AIX systems around in the industry, RBAC may not implemented widely and specially when ID Administration works under the shadow of Information Security (in our case). But, if it's 6.1 or even 7.1 AIX, RBAC is the thing people should go for.
gito,
Good catch! There's always a risk with programs which accept shell escapes. We did not have any other way to achieve the same goal with AIX5.1L. sudo su - to a specific user does not add any advantage. What if the person do need vi to edit the permitted file in sudoers? Contacting server admins for editing files in vi is surely not an option in the huge environment we work in. Any better suggestion is always welcome!!
@admin_xor:
Agreed. Additionally it can become very complex using RBAC if one starts to go in depth and detail, at least the impression I got. We use it only to stop using root. It is also one of the things I would prefer to have a good graphical front end in such cases of using plenty of roles and custom permissions^^
Hi
I need to assign proc_owner privilege to particular user through RBAC. How can I assign this privilege to user, I need help on this.
Further I need to understand if I give this proc_owner privilege to particular user, what kind of control user will get on other user or system processes... (7 Replies)
Hi ,
I want to create 3 different user with below privilege in Solaris and Linux.
1) Read Only
2)Read and Write Only
3) Admin user
Can you guys help me on this . (3 Replies)
I am planning to implement sudo for users.
Under , it looks I have to put the users who need to have sudo access:
What are the recommended for users? I don't think I need to give the ALL privilege (i.e ) to AIX users.
I'd like to know the commonly used privilege specification for sudo... (1 Reply)
I have setup public key based login to my CentOS VPS. I wish to disable direct root login and have created an admin user under wheel group and have modified /etc/sudoers file and gave Wheel group all privileges.
But now I am being prompted for password whenever I type sudo. I do not wish to... (4 Replies)
Hello experts I am new to Unix.
Env : HPUX
I need to create a user say testuser such that it does not have access to file/directories from the other group i.e the last 3 digits .
How do I do that.
Reason for such a request :-
I have an existing user oracle which has default umask... (3 Replies)
I'm trying to give a non-root user the right to start IBM HTTP Server, the web server is listening on port 80, but for AIX, ports under 1024 are privilege ports which can be used only by root.
/usr/IBMIHS/bin# ./apachectl start
(13)Permission denied: make_sock: could not bind to address :::80... (1 Reply)
Is it possible to grant write privileges to a user on a directory with out having to add the user to a group or make the user the owner of the directory?
My background is in Windows and in Windows you can grant specific privileges to a user without having to put the user in a group or making the... (3 Replies)
01-04-2012
