Re: Single-use root account?
Hello
Alex Malinovich (<demonbane@the-love-shack.net>) wrote:
> On Fri, 2003-11-07 at 03:22, Roberto Sanchez wrote:
>> Alex Malinovich wrote:
>>
>>> I've decided that it's about time I look for a solution to a
>>> problem that's been bugging me. On certain occasions, I find it
>>> necessary to have one of my roommates do something to the network
>>> at home when I'm not there. As such, they generally will need root
>>> access to do it. While I certainly trust them, I'm very security
>>> conscious and wouldn't feel comfortable giving them my root
>>> password. So I had the idea of setting up a one-time use root
>>> account. You can log in once, but as soon as you do the user gets
>>> locked out. (passwd -l in .bashrc)
>>>
>>> Unfortunately, since I use the "real" root account very frequently
>>> this would be a great hassle. So I'd like to set up a pseudo-root
>>> account for this purpose. It's easy enough to do an adduser --gid
>>> 0, but that would still leave quite a few things which the user
>>> couldn't do. (At least unless I did a chmod -R g+rwx *, which I'd
>>> like to avoid.)
>>
>> What about sudo? You can set it up to grant very limited permissions
>> (i.e., one or two commands only) to a specific user.
>
> I never really know what I'll need them to do, so it's not really
> viable. It could be changing network settings one day (so I'd have to
> allow access to ifconfig, route, export2fs, etc), user admin another
> day (passwd, adduser, etc), and package management after that (dpkg,
> apt, etc). That would become very unmanageable very quickly.
You can allow normal users to start a bash (or any other shell) via
sudo. That way they won't need to have a special user or group ID and
can authenticate themselves with their own passwords.
best regards
Andreas Janssen
--
Andreas Janssen
andreas.janssen@bigfoot.com
PGP-Key-ID: 0xDC801674
Registered Linux User #267976
Reply to: