Find the answer to your Linux question:
Results 1 to 5 of 5
I would like to setup another user account on my centos server to have basically all admin privledges except the ability to change the root password. In order to allow ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2007
    Location
    In North America
    Posts
    20

    sudoers file Question


    I would like to setup another user account on my centos server to have basically all admin privledges except the ability to change the root password.

    In order to allow this user to have full admin rights I have added that particular user the ability to `sudo su -` in the sudoers file.

    This is great. It works to allow the user to escalate to admin rights, but I would like to prevent that user from locking me out of the system by changing the root password.

    I have read somewhat of revoking commands using `!` in front of commands but this does not seem to work for me.

    Any ideals how I can prevent users from specific commands such as `passwd` etc... while allowing user all other admin rights??

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,356
    I don't think, this can be reliably done.
    Because once you allow escalation to root in such a broad way as "su", then this user has a million and one ways to change or invalidate the root password.
    sed, awk, each texteditor,...

    What you can do:
    1) Give the user a VM. You control the host. If you should be locked out, you can always hard reset and boot from an (emulated) liveCD or boot the system into a shell
    2) Does the server have decent remote management? decent == virtual media, power control, console access,.. If yes, same logic as above: keep control of the remote management.
    3) How come, someone questionable gets root in the first place? Or in other words: Is it *really* necessary?
    4) Maybe a contract / money issue. But what about handing over a machine? Aka: "You pay x money, then it's yours. Support is extra though"
    You must always face the curtain with a bow.

  3. #3
    Just Joined!
    Join Date
    Jun 2007
    Location
    In North America
    Posts
    20
    I'm not sure I understand all your recommendations.

    This particular install is indeed a VM using xen "I'm new to this and all the capabilites".

    Response to recommendation 1)
    ~You mean hard reboot and go into single user mode and then possibly reset root password???

    Response to recommendation 2)
    ~ssh remote access and local login access are available. Not sure what virtual media is??

    Response to recommendation 3)
    ~I would like this user basically to install and config most things on server if need be but not to take over full control and boot me out of box for good.

    I am just now trying to understand how to administer users and groups.
    ~I did assign this user to the built-in `adm` group thinking this is similar to domain admin as in windows but still user could not perform certain needed privledges.

    Thank you for your remarks.

  4. #4
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,356
    Ok, so as it is a xen system, and if you control the xen host, then you could create another vm and give it to that user.
    As I said, as long as you control the VM host, he can do whatever he wants in the vm.

    Also -because this is a vm- remote management doesnt apply.
    What I meant here is a out-of-band management, that is used on tier-1 servers: Dell DRAC - Wikipedia, the free encyclopedia , HP Integrated Lights-Out - Wikipedia, the free encyclopedia or IBM Remote Supervisor Adapter - Wikipedia, the free encyclopedia


    There are two kinds of users:
    - root
    - the rest

    As he wants to install software and configure daemons, he needs root.

    If there is only one VM and you dont fully trust that user (or there is no clear contract), then imho you shouldnt give him root privileges and rather do all the work yourself.
    You must always face the curtain with a bow.

  5. #5
    Just Joined!
    Join Date
    Jun 2007
    Location
    In North America
    Posts
    20
    So I do understand that if I have ownership of the Host that in case any VM is taken over I at least have access to the Iron Box and am able to start over. However there must be a more efficient way of preventing rights and permissions to various other delegated users but I am just unknowledgeable at the moment in providing these permissions to various users. I'll continue researching this.

    As concerning you the remote management features.
    ~ I am familiar w/ "sentry rpm" to provide certain out of band reboot features"

    I can your hardware mentions useful in case you lose the operating system possible and having to do pxe booting possibly (having to gain access to bios to config booting sequences and such). Not sure about other relevant practical features but this would save on any site visits for server repairs I suppose.

    I learned something new about remote management products Thank you for your input

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •