[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Root privilege (SOLVED)



On Fri, Jan 12, 2007 at 01:42:44AM -0500, cga2000 wrote:
 
> This is what root's recently been up to on my laptop:
> 
> ? manually adjusting the system & hardware clock
Look at chrony.  If you don't want it to sync to an NTP server over the
net, it still has the capablility to take your watch time and slew the
system time.  The chrony password is _not_ the root password.
> ? bouncing the network
?
> ? starting/restarting/stopping daemons
> ? adding "local" stuff to the /etc/rc.* boot scripts
> ? adding/removing test users
> ? resetting the wife's password
> ? running a password cracker
Make it a cron job
> ? running chkrootkit
Cron.
> ? viewing logs
Add yourself to group adm
> ? accessing /var/spool/
routinely???
> ? shutting down the system
/etc/inittab --> shutdown -a...
add yourself (and your wife?) to /etc/shutdown.allow
> ? starting a vmware image
> ? starting my chroot etch install
> ? moving stuff to a fat file system
> ? looking for and deleting core files
So disallow core files.
> ? teaching myself the intricacies of cron
> ? loading/unloading modules 
Hopefully a rare event.
> ? adding/removing software with apt
> ? kernel upgrades/reconfiguration (partially as root) 
> ? make-installing software compiled from source 
> ? running dpkg-reconfigure
> ? manually running updatedb
> ? sync'ing file systems
> ? renicing tasks
> ? changing file ownership/permissions
> ? adding an entry to the terminfo database
> ? running lilo
> ? mounting/unmounting file systems
If this is routine and a user should be able to do it, look at the user
option in /etc/fstab.  I think you can limit this ability to a
particular user (or group?)
> ? running backups
> ? creating/burning iso images
You can setup xcdroast to give this ability to individual users.
> ? system tools such as fdisk that may require root privileges 
I save the partition table as part of my backup script (also run as
root).
> ? same for the network -- ifconfig .. ip .. tcpdump ..
> ? editing config files in the directory tree
> ? killing misbehaving processes
> ? changing root's password
> ? testing the OP's problem
> 
> Notes:
    
> 2. A significant number of tasks do not require root privileges .. some
>    simple stuff such as adding /sbin to my $PATH .. adding myself to a
>    couple of groups .. etc. would let me perform these at least in part
>    under my regular account.  

I've heard some people suggest that root should have no path so a full
path has to be used to run a command.  Not having /sbin in your $PATH
doesn't keep you from running a command in /sbin.

>    
>    But then I'd have to think .. does this particular option or feature
>    require root privileges .. ??  I don't want to have to think about
>    such aspects.  I mean, I'm looking for clues in /var/log .. some logs
>    are world-readable and others are not..  The problem I'm dealing with
>    may be quite serious..  I am already in a foul mood .. Do I really
>    need the additional aggravation of having to switch accounts while
>    investigating..?  
>    

In pam.d/su make adm the wheel group.  Put yourself in group adm.  If
you really trust your password then set it up so you don't need the root
password.  Then to do something as root its just su - ...

Don't do root stuff when you're in a foul mood...




Reply to: