Re: An Account Root Can't Access?

From: Robert Heller <heller@xxxxxxxxxxxx>
Date: Mon, 19 Feb 2007 23:16:11 +0100

At 19 Feb 2007 10:40:45 -0800 "Jistan Idiot" <jistanidiot@xxxxxxxxx> wrote:

Ok, I had to give the other jr sysadmin root access to one of our
servers (orders from above nothing I can do about it). The problem of
course it that I don't want him to be able to see what I have on that
server in my directory and I don't want him to be able to change
things in /etc without first telling me. Is there some way to root-
proof these directories?

Not if he has full root privs (eg root's pasword or 'user ALL=(ALL)
ALL' in /etc/sudoers). Either you trust him or not. You can always
'read him the riot act', and explain your reasons why (Privacy 101,
IfItAintBrokeDontFixIt 101, DoNoHarm 101, AskFirst 101, etc.).

Instead of giving him full root access, consider giving him *limited*
access via sudo.

man sudo
man visudo
man sudoers

--
Robert Heller -- 978-544-6933
Deepwoods Software -- Linux Installation and Administration
http://www.deepsoft.com/ -- Web Hosting, with CGI and Database
heller@xxxxxxxxxxxx -- Contract Programming: C/C++, Tcl/Tk

.

References:
- An Account Root Can't Access?
  - From: Jistan Idiot

Prev by Date: Turn "journalling" off on ext3: How to?
Next by Date: Re: Turn "journalling" off on ext3: How to?
Previous by thread: Re: An Account Root Can't Access?
Next by thread: Re: An Account Root Can't Access?
Index(es):
- Date
- Thread

Relevant Pages

Re: An Account Root Cant Access?
... servers. ... To fool proof one would need to remote ... syslog sudo stuff and none has root access to the loghost. ...
(comp.os.linux.misc)
Re: Exec Security
... If you allow a instance have access to exec from which you allow service be restarted (either full root access or sudo), then there is always a risk that someone can manage to execute something you thought was possible, this could lead to the whole machine is compromised. ... Daemon ain't a waste of resources if you do it the right way, let it idle till it gets a message, it will make a small memory imprint, it will not waist many cpu cycles while not doing anything and you increase the security of your system. ... I have seen a database based solution running on quite many servers, including web servers, database servers, dns and mail server been handle this way, the resources used by the provisioning software was quite small, would go as far as say it's not measurable. ...
(comp.lang.php)
what might have changed these files?
... This morning, checking my Tripwire logs, I see that the /etc/path_to_inst ... and /etc/path_to_inst.old files changed on one of my servers. ... root access was logged on at the time, no patches were applied, and no ... the change on both files was to the timestamp and the inode. ...
(SunManagers)
nfs access
... I set up a nfs to share a directory to other servers. ... restrict others from accessing ... Users do have root access to these servers and I don't ...
(comp.unix.solaris)
nfs access
... I set up a nfs to share a directory to other servers. ... restrict others from accessing ... Users do have root access to these servers and I don't ...
(comp.unix.sco.misc)