UNIX for Advanced & Expert Users

Hi Experts,

Need your support
Redhat 6.5
I want to create a user with all(read, write, execute) privileges except that user should not be able to create any new user from his login
to perform any task.

Off the top of mu head, this seems contradictory. If you have read, write, and execute on any file, that means new user creation is possible. If you employ ACL's and block this special user from accessing files then what happens when the user employs setfacl (or whatever tool) to undo your change to the ACL?

Instead of telling us HOW you think this task needs to be done, please tell us WHAT problem you are trying to fix.

Note: Linux system roles are beginning to receive support, I think the concept was demonstrated well in Solaris 10. I do not know how robust the support of roles using Ansible is in your version of RH.

Linux System Roles | The Linux System Roles are a collection of roles and modules executed by Ansible to assist Linux admins in the configuration of common GNU/Linux subsystems.

Check your documentation for Ansible

Absolutely! If someone is allowed to do "everything" then everything it is - no less!

I remember a former customer took away root privileges for a certain system from us system administrators but because we were still supposed to edit a certain file owned by root (!) they created a sudo rule for us:

Code:

myuser ALL=(ALL)   vi /path/to/some/dir/*

They wondered why we still became root whenever we needed to and probably still are wondering, LOL!

I don't know Solaris too well but RBAC (Role Based Access Control) is available in AIX for about 10-15 years. I would strongly prefer jumping out of the next available window to using it, though. It makes the administration of a system practically impossible (yes, i know all the "but"s - i still stand by what i said). My advice: stay away as far as you can. If you can't do it with standard UNIX privileges it isn't worth doing and/or your model is plain wrong.

I hope this helps.

bakunin

Hi Jim,

i want to create one user and do not want that user to run userdel and useradd command.
Only intention is to prevent user from running useradd and userdel commands only on Redhat 7.2
other than this , he can be able to perform anyother task.

In short user should not be able to execute useradd and userdel command from his login.

--- Post updated at 11:39 AM ---

Hi Bakunin,

Thank you for such a nice explanation.
Apologies as i know i am asking the same question again. But need help on this to understand more
But is there any way/command if we can disable only two commands(useradd and userdel) for any particular user.

we don't want user to create and delete any user on he system

I want to create one user and do not want that user to run userdel and useradd command on system
Only intention is to prevent user from running useradd and userdel commands only on Redhat 7.2
other than this , he can be able to perform anyother task.

In short user should not be able to execute useradd and userdel command from his login.

We are not being obtuse, being overly literal, or blocking you. We're telling you that your question is nonsensical. You cannot stop root from being root. Period. Full stop. Any measures you use to stop them, they have full access to undo themselves, by definition.

For instance, useradd and userdel aren't magic -- they edit files. Block them and they can just edit the files by hand, or install something else for the purpose. Block access to the files and bad things will happen since the system needs these files.

You will have to approach the problem from another angle. Rather than 'limit what root can do', you will need to very precisely specify what they are actually allowed to do, and permit that in a non-root user via sudo.

Hi All,

Thank you very much for your time and effort you have put in for this post.
Your response and positive comments values a lot for me.

I tried the below to achieve what i want to some extent.

This is exactly the thing we talked about: what you did can easiy be undone by the person you tried to block. Here, i am allowed to do "everything but" some commands, so i use another command (here: visudo) to remove the rule you just edited into /etc/sudoers to edit it out again. After this your carefully crafted limitation of my possibilities doesn't exist any more.

Or, as Corona688 said, i simply leave the limitation in place and use vi to edit /etc/passwd (and probably some shadow files, depending on your system and its setup) directly to do manually what useradd and userdel do automatically. I won't even need these commands to create or remove users.

Or i could, using the still allowed command su, switch to another user and execute useradd and userdel from there.

Or i could use cp to copy a shell executable somewhere, use chmod to set its sticky bits, then execute it as my user and could still execute the forbidden command because inside the shell i have a different effective user ID and the limitation won't apply to me any more.

Or i could ...

What you did was to carefully lock one door - but leaving open hundreds of others leading to the same room. If you want to prevent me from getting into there it doesn't matter if i have 100 or only 99 options available.

Bottom line: what you have is NOT a solution, not even a partial one and we are trying to tell you exactly that for several posts now. You are of course free to ignore this advice but what is the point of asking in first place if you refuse to hear the answer because you don't like it?

I hope this helps.

bakunin