Unix/Linux Go Back    


Ubuntu Ubuntu is a complete desktop Linux operating system, freely available with both community and professional support.

Root access that can't change root password?

Ubuntu


Closed    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 12-15-2013   -   Original Discussion by 244an
244an 244an is offline
Registered User
 
Join Date: Jul 2012
Last Activity: 7 October 2014, 7:14 PM EDT
Posts: 71
Thanks: 9
Thanked 13 Times in 13 Posts
Root access that can't change root password?

We are having a little problem on a server. We want that some users should be able to do e.g. sudo and become root, but with the restriction that the user can't change root password. That is, a guarantee that we still can login to that server and become root no matter of what the other users will do.

Is that possible?
(Linux 3.2.0-57-generic #87-Ubuntu SMP)
Sponsored Links
    #2  
Old Unix and Linux 12-15-2013   -   Original Discussion by 244an
bartus11's Unix or Linux Image
bartus11 bartus11 is offline
Registered User
 
Join Date: Apr 2009
Last Activity: 3 August 2016, 11:03 AM EDT
Posts: 3,733
Thanks: 7
Thanked 1,153 Times in 1,123 Posts
One way to do it is to disable "su" and "passwd" access in sudoers, for example like this:
Code:
user ALL=(ALL) ALL, !/usr/bin/passwd, !/usr/bin/su

Then tell user to run the commands that he needs executed as root by prefixing them with "sudo".

It will not prohibit manually editing the /etc/shadow file though...
Sponsored Links
    #3  
Old Unix and Linux 12-16-2013   -   Original Discussion by 244an
rbatte1 rbatte1 is offline Forum Staff  
Root armed
 
Join Date: Jun 2007
Last Activity: 17 November 2017, 12:53 PM EST
Location: Lancashire, UK
Posts: 3,365
Thanks: 1,453
Thanked 665 Times in 598 Posts
.... or editing the /etc/sudoers file and the user can take off the restrictions again.


How about you ask exactly what is needed and only permit that with sudo rules. Be sure not to allow access to anything that the user can escape from, e.g. by giving vi, then user can probably :sh to get to a command prompt as the executing user.

Other things sudo as ftp can also be used to run local shell commands too. You have to be very careful.

Perhaps there is a need for not giving root access to the user. Ask what needs to be done, get it scripted and tested, then make the script Read-Only to them, but have it owned by root and set the SUID flag with:-
Code:
chown root:group yourscript
chmod 4750 yourscript

Make sure that the world cannot execute the script and set the group to be a restricted as you can. perhaps even create a group for just this use.



i hope that this helps or at least gives you something to consider.


Robin
Liverpool/Blackburn
UK
Sponsored Links
Closed

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Solaris 8 - Asks for current root password when trying to change root password. tferrazz Solaris 8 04-07-2009 03:28 PM
how to change root password using shell script with standard password kurva Shell Programming and Scripting 2 02-25-2009 02:35 AM
Change other account password from root access rakeshou UNIX for Dummies Questions & Answers 4 11-30-2007 11:06 AM
how to access root priveliges if root password is lost wojtyla Linux 1 02-18-2005 06:24 AM



All times are GMT -4. The time now is 05:29 PM.