Creating a user account to install apps other than root
I have a Centos 5.6 64-bit Linode and I am having to provide access to developers and architects to install and configure Apache/PHP/MySql/Drupal, etc…packages.
I don't want to give them the root username and password. What privileges should the new user account have in order to accomplish the above tasks.
At some point they may need the root user account, is there a Sudo option in Centos.
Thanks.
16 Replies
Take a look at the man page for "sudoers", from there you can easily configure individual users or groups to run specific commands (such as restarting Apache) as root (or as another user) with their own password.
@Guspaz:
Keep in mind that giving a user sudo permission is identical to giving them the root username and password. It even lets them change the root password, and they can su to root using "sudo su -" without having the root password.
Not entirely true. "sudo" is not a program for running commands as root, it's a program for running commands as a different user, which by default in most/all places seems to be root.
You can very, very easily configure "sudo" via the "sudoers" file to give permission for 1 user to run only 1 command as root.
So if you give 1 user permission to run "sudo apache2ctl graceful", that is all they can ever do as root (or what ever user configured)
Apps that let you escape into a shell may not even be obvious. The 'less' command does, you would just need to type "! sh" and boom, root shell, although there are other ways. The 'more' command is similar, are are most text editors.
For example, strictly restricting the user to apache2ctl is not enough. They can set environment variables to point apache2ctl at a custom config file that loads any executable code they want, or if they want to do it user-friendly-like, they can use it to run php as root; if you control the apache configuration, getting a root shell is easy. Yes, you can restrict environment variables in the sudoers list, but this just illustrates how dangerous it is to give someone root access to anything.
Thanks for the detailed information.
I have gone through the sudoers config file and I have added the following at the end of the file.
User_Alias ADMINS = username
ADMINS ALL = LOCATE
But, its not working. I log in remotely as that username but executing sudo prompts for a password and no matter what password i enter, it doesn't let me in.
I am giving this access to developers and I know them well. So, i don't see them misusing the server. They may also have to fine tune the OS at some stage. I don't want to share the root user account but need an alternative.
I think, if the user is able to execute sudo bash, he gets into root shell, correct me if am wrong. Probably, this could also avoid the user to type sudo for each and every command.
How do i configure this?
Thanks,
But, he is able to execute sudo bash, how can i restrict this only?
Avinash
You said you might want them to do other things on server, so don't tie their hands (not that really can anyway), if you trust them. If you don't trust them, log them in and watch over their shoulder while they're logged in as root.
Avinash
In short, if you give somebody sudo access, assume they have full root access.
I am asking this bcoz, i see cmd_aliases option in sudoers file. So is it possible to restrict only "Sudo bash" command for a particular user/group. I believe that when there's an option to assign privileges/permissions to users/groups for only one command, the other way round should also be possible.
Thanks for your time.
Avinash
@Guspaz:
It's impossible. On Ubuntu, you can tell apt-get to run post-invoke commands (such as "bash"). I don't see an easy way to do it with Yum in CentOS, but you can always create a package that does so and install it with yum.
In short, if you give somebody sudo access, assume they have full root access.
TL;DR: It is not possible to securely prevent someone from running bash using sudo config options, while letting them do other things with sudo.
@carmp3fan:
To be fair it is trivial to obtain root access even without sudo access. That's why you must be careful about giving anybody SSH access without severely limiting the users abilities.
No, it's not, unless you're running a kernel with known root exploits.
What this means then is that someone that manages his account all by himself doesn't need to be bordered by this. Anyway I was thinking keeping my wordpress site on the root has a negative implication.
But so far Ii intend to run only one wordpress site I think am cool with that.
Or anything wrong with that?
@skd4 --
You write:
Anyway I was thinking keeping my wordpress site on the root has a negative implication.
What does this mean? On the root filesystem? Unless you're paying for block storage, you don't have much choice but to keep your site's files on the root file system ;-). It's been a long time since I've installed wordpress but, as I recall, it gets installed using the user for the web server. You have to create a MySQL user for wordpress too (which is the owner of all the database tables).
But so far I intend to run only one wordpress site I think am cool with that.
You can manage a wordpress site without being the superuser.
Having superuser privileges in Unix/Linux is an-all-or-nothing proposition…not like Windoze where are 4 different account types with a zillion different combinations of privileges…some of which supplement and some of which override (this is one of THE MOST ANNOYING things about Windoze!)…which EVERYONE circumvents by making every account an Administrative account.
A user with superuser privileges can destroy your system…without any tracks. If you don't trust someone with superuser privileges, don't hand them out.
You all need to be careful about using the words "privilege" and "permission" interchangeably. These are two different things…
-- sw