SUMMARY - Assigning "root" privileges to a user

From: Santomauro, Deborah <deborah.santomauro_at_lmco.com>
Date: Thu Feb 12 2004 - 10:34:13 EST
Many thanks to the following:
Allan West
Andrew Caines
Asif Iqbal
David Booth
Mitchell Bruntel
William Cole
Debbie Tropiano
"hike1272-sunhelp"
And the list continues to grow as so many others were willing to take the
time out to respond.  So if your name is not listed, it is not on purpose,
but a big hearty thanks to you all :o)

I'm going to use the recommendations provided by Chad Johnson and David
Booth which is basically to create an alias for the user and then allow him
all of root's privileges with the exception of a certain few. This is what
Chad and David said:

(from Chad)
use sudo, but allow the user to execute a shell.  Here is an example of what
we have:

User_Alias	FULLTIMERS=user1,user2,user3....
...
FULLTIMERS	ALL=NOPASSWD:ROOTSHELLS


This allows user1,user2,user3... to do 'sudo ksh' and have root perms, but
not to change root's pw.

(from David)
The only suggestion I can make is that you define what they are NOT allowed
to do as a separate command group alias in sudoers, then assign them
"ALL=ALL, !FORBIDDEN" where the FORBIDDEN command group is  the ones you
want to exclude...

Obviously FORBIDDEN should include su, passwd, rlogin, rsh, ssh and all
shells.


Original question:
> Gurus,
> 
> I've looked at both RBAC and SUDO but neither one really appears to be 
> the answer to my problem.  I have a user who was given "root" (this 
> was done under heavy protest but to no avail) on a Sun box (Solaris 
> 8-Sun Fire 280).
> What I need to do is:
> 
> 1. continue to allow this user to have root privileges
> 2 not allow the user to change root's password or
> 3. to be able to log onto other systems on the network as root.
> 
> Since this is a single system, sudo would work well BUT the sudoers 
> file would end up being horribly long and difficult to maintain. Is 
> there another way of doing what is needed or perhaps someone already 
> has an existing sudoers file that may fit my needs?


Deborah Santomauro
Unix System Administrator
Lockheed Martin-Enterprise Information Systems
Palmdale, CA  93599
Phone: 661-572-1178
Fax: 661-572-5398
It is not death that we should fear, but we should fear never beginning to
live - Marcus Aurelius

              \|||//
           (@@) 
 __ooO_(_)_Ooo____________________
 |______|_____|_|_____|_____|_____|
 |_____|_____|____|_____|_____|____| 
 |_____|_____|______|_______|______|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Thu Feb 12 10:34:04 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:26 EST