1

I'd like to know if there is a way for a user account to be enabled or elevated to carry out system admin tasks WITHOUT having to use the root account or sudo.

Goal here is to allow a user account to Add/Delete users/printers without giving them the 'God' powers that the root account carries, in a way setting up a restricted system admin essentially. Not sure if there is a way of doing this as most just use root to my understanding.

Mark
  • 113
  • 3
  • Be careful here. Lots of risky recommendations and it sounds like you do not understand the risk. – Warner Mar 19 '10 at 13:36
  • I think I may have made it riskier than it sounded, when i say allowing the user to do these tasks they are in fact a system admin who have been using root already. From the looks of things changing it to a sudoer on a restricted list would be a better option and make it trackable. – Mark Mar 19 '10 at 15:01

3 Answers3

2

This is what sudo is for, you don't need to allow God powers, just permission to run certain tasks as another user.

For example to allow bob to add users you add this to /etc/sudoers using visudo:

bob localhost=/usr/sbin/useradd

This doesn't give bob "God" powers, It just lets him add users.

Richard Holloway
  • 7,456
  • 2
  • 25
  • 30
  • 1
    Let's hope that such user will not "research" if they can create a duplicate UID=0 user. I'm not sure if all versions of useradd prevent this, are you? – kubanczyk Mar 19 '10 at 12:47
  • +1 That is a very valid point. You are wise kubanskamac. Mark you should consider this in whatever solution you finally decide upon. Creating a user with uid of 0 makes that user root but with a different name. – Richard Holloway Mar 19 '10 at 13:11
  • I was aware of the uid=0 issue, the sudoers way would appear to be the option to take, I wasn't aware of the list to specify the access this way so that solves the issue. – Mark Mar 19 '10 at 15:03
  • Yeah. I'm always wary of questions that say some variation of "I want the user to be admin magically except for when I don't". You either trust someone or you don't and if you don't then do not give them administrative rights of any kind. – Rob Moir Mar 20 '10 at 11:08
1

Not sure how secure this if you don't trust this person completely, but you could give them access to the adduser command with sudo. However if you are adding enough users to make this worthwhile, you might want to use ldap, tie authentication into Active directory, or something like that.

For the printers, I think it might depend on your distro and *nix version, but in ubuntu you would add them to the lpadmin group I believe.

Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448
  • 1
    If you allow adduser in sudoers, make sure to restrict it to only adding users, not users to groups (or they can add themselves to the "root" group etc.) I would personally do this by creating my own bash script, which can only call adduser with one argument. It's possible to use wildcards in sudoers instead, but I haven't found out yet, how much I can trust them (at least, it's easy to make a mistake with these)... – Chris Lercher Mar 19 '10 at 13:05
1

Think about some web based control panel solutions. Webmin and ebox spring to mind.

Printers you could use the CUPS web based admin panel.

The Unix Janitor
  • 2,458
  • 15
  • 13