Prevent user from creating new user from his login


Login or Register to Reply

 
Thread Tools Search this Thread
# 8  
Old 4 Days Ago
Quote:
Originally Posted by as7951
Hi All,

Thank you very much for your time and effort you have put in for this post.
Your response and positive comments values a lot for me.

I tried the below to achieve what i want to some extent.
Code:
cha ALL=(ALL) ALL
cha ALL=/usr/bin, !/usr/sbin/useradd, !/usr/sbin/userdel

A handful of the easiest ways cha can still add users on your system:
Code:
# Make a shell do it
sudo sh -c 'useradd'

# Put it in a script and run it
echo 'useradd' > nicetry.sh ; chmod +x nicetry.sh ; sudo $PWD/nicetry.sh

# Put it in a script and make a shell do it
echo 'useradd' > nicetry.sh ; sudo bash $PWD/nicetry.sh

# Duplicate the command to something sudoers hasn't blocked
sudo ln /usr/sbin/useradd /usr/sbin/nicetry ; sudo nicetry

# Install something else
sudo apt-get install alternate-utility ; sudo alternate-utility

# manually edit password files
sudo vi /etc/passwd ; sudo vi /etc/shadow

# edit sudoers to give yourself permissions
sudo visudo

# mount other folder on top of /etc.  Even an unwritable filesystem won't stop this one!
sudo mount --bind /fake-etc /etc

Your screen door is leaking. You blocked one pinhole. There's 10,000 more for you to find and plug individually.

Last edited by Corona688; 4 Days Ago at 02:41 PM..
These 2 Users Gave Thanks to Corona688 For This Post:
Don Cragun (4 Days Ago) wisecracker (4 Days Ago)
# 9  
Old 4 Days Ago
Hi Bakunin,

Thanks for the detailed information.

Your response helped me lot to gain knowledge on this topic/issue

Yes you are right, there are other ways as well to undo the changes i have done and to add and delete user.
I have informed the same to customer and told that we can't limit the user until he has all the rights.
# 10  
Old 4 Days Ago
Quote:
Originally Posted by as7951
I have informed the same to customer and told that we can't limit the user until he has all the rights.
If you carefully re-read the posts above you will see that Corona688 already adressed that: instead of giving a user all rights (in fact that means he can become the root user, which is allowed to do everything) and then (try to) take away the rights you don't want him to have you should look at it differently from the start:

What does the user have to do and precisely which rights does he need for that?

Once you answered this question (not to me - to yourself) you can start thinking about ways to give the user exactly these rights - and nothing more. Instead of giving out all rights and then taking back some you only give out what is absolutely necessary in the first place.

If you tell us about your (long-term) goals - that is, what is the user account supposed to do - we can help you come up with ways to achieve that. It is perhaps possible to do it but just not in the way you tried.

I hope this helps.

bakunin

Last edited by bakunin; 4 Days Ago at 12:15 PM..
This User Gave Thanks to bakunin For This Post:
wisecracker (4 Days Ago)
# 11  
Old 4 Days Ago
I know this might be a daft question, but why would you want to share a very powerful account with someone else but leave one thing out. Either you trust them, or you don't. Don't give privileges to anyone for anything unless you are happy that they are safe to do the thing and that they can't escape and do something else.

I might be paranoid, but not only did we keep all users as 'ordinary' and with (full path) scripted sudo rules but for things with user accounts (even password resets) we intercepted the official code and added our own logging. People in the security group which are already allowed to do such things ended up being logged so we could at least trace it back. You learn to be paranoid in a financial company where someone managed to get another user's password rest and then performed fraudulent actions (i.e. I've seen the death certificate, pay out the life assurance) as someone else.


Basically, only give the minimum required to do the job. Don't just allow them in with total access if they don't need it or because it's convenient and saves having to define appropriate security rules on your data.

Security is usually like birth control methods - people don't like them and try to avoid using them but if you get caught out, it is too late. Prevention (or abstinence) is better than remedial action or just living with the consequences.

You need to ask yourself very carefully what they actually need. Be extremely cautious.


Just my thoughts.


Can you tell us more about what they really need to do?

Robin
These 2 Users Gave Thanks to rbatte1 For This Post:
Don Cragun (3 Days Ago) wisecracker (4 Days Ago)
Login or Register to Reply

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

More UNIX and Linux Forum Topics You Might Find Helpful
Prevent admin user accidentally remove database files. ckwan AIX 4 03-14-2014 06:49 AM
Prevent the user from changing his directory rahul547 Shell Programming and Scripting 6 06-26-2013 11:54 AM
Prevent the user from changing his directory Revanth547 Shell Programming and Scripting 1 06-24-2013 02:56 AM
Login into another user from user inside script rammm Shell Programming and Scripting 4 09-07-2012 04:04 AM
How to Login as another user through Shell script from current user[Not Root] ujjwal27 Shell Programming and Scripting 9 05-27-2012 11:50 AM
Prevent wrong user from using shell script for multiple remote servers mystition Shell Programming and Scripting 2 06-08-2011 10:16 AM
how to prevent a user from downloading on lan coolatt IP Networking 5 10-07-2010 01:13 AM
Force user to use ssh/prevent telnet access peragin UNIX for Dummies Questions & Answers 4 09-21-2009 11:07 AM
prevent user from excute command reaky Cybersecurity 4 06-23-2009 10:37 AM
Running script from other user rather than login user rawatds Shell Programming and Scripting 3 01-30-2009 12:18 PM
How to prevent local root from su to an NIS user? nfw UNIX for Advanced & Expert Users 3 01-08-2008 12:38 PM
Can I prevent a user from changing the permissions on their home directory. DanL UNIX for Dummies Questions & Answers 2 08-29-2006 12:56 PM
I create user but i cant login the user i created. jerome UNIX for Dummies Questions & Answers 5 06-09-2006 05:08 PM
Limiting length of user in while creating user Satya Mishra AIX 2 04-15-2005 02:40 AM
Creating a user that can't login danhodges99 UNIX for Dummies Questions & Answers 2 01-10-2003 02:28 PM