0

I have a rather unique situation that I need to come up with a solution for. We have servers by which a remote team requires having root access to our servers to perform certain jobs. We need to still allow them root access, but deny them from the ability to use iptables, visudo & passwd.

We are going to force them to not be able to login as root any longer and to login with user accounts that have all root functionality except for the above mentioned functions.

Can someone describe to me what I would need to do to accommodate this?

Thanks.

Skittles
  • 421
  • 1
  • 7
  • 16

2 Answers2

3

would not that be the job of sudo? or you can look into jail or restricted/limited shell if sudo is not what you can use.

johnshen64
  • 5,865
  • 24
  • 17
  • Thanks johnshen64. Like I said. We plan on creating new accounts for them to use to access the server and will likely add them to the sudoers file, but I need a way to prevent them from being able to issue those above mentioned commands. – Skittles Apr 24 '12 at 16:05
  • Sudo will limit what commands they can run... – Bart Silverstrim Apr 24 '12 at 16:07
  • The answer WerkkreW provide does concern me because it does seem that the sudo can be circumvented. I am still considering this as an option though as I am thinking that they may not be that savvy to be able to figure out the workarounds. – Skittles Apr 24 '12 at 16:09
  • it is actually not so easy to exclude such common commands, though sudo can disallow them to run these as root, but you can have a jail such as http://rhcelinuxguide.wordpress.com/2006/07/02/linux-jail/ so that you can limit the user to only those commands you allow them to execute. however beware that if the user is really malicious, he or she can break out of your restriction far easier than someone with no access trying to break into your system. these measures are more for gentlemen not to accidentally doing harm, than letting people you don't trust do things. – johnshen64 Apr 24 '12 at 16:18
  • @johnshen64 - Thank you for that rather concise explanation. I'm thinking that we will try creating a user account for them and then define that they are not allowed to use visudo, iptables, passwd, all the shells, reboot, halt and shutdown. If they are still determined to usurp our restrictions, then perhaps we will have to step things up a notch. Thank you, again. – Skittles Apr 24 '12 at 16:57
0

You want to make use of sudo and learn how to edit the /etc/sudoers file, that said, there are ways for a user to circumvent these controls if they try.

Some good discussion on this topic here: Editing sudoers file to restrict a user's commands

and here: http://linsec.ca/Using_Sudo_to_Limit_Access

Community
  • 1
WerkkreW
  • 5,969
  • 3
  • 24
  • 32