2

i have a task to separate duties of users on a group of servers, the system is centos 7 there is a user that i want to give every right on the server except for the right to change root and other users passwords. adding the user to the group wheel doesn't make it right cause the intended user would be able to change everyone's passwords (including the root). I searched for an answer but couldn't find anything relating to this particular demand.

anyone have an idea about this??

thanks in advance

Ghaith Mansour
  • 31
  • 2

2 Answers2

2

You need to give the user specific commands they can run and be very specific. You could limit there access so they can't run "sudo password" directly but it doesn't really enforce it. If they can start a root shell they can bypass this. You can even run vi as root and run commands with in it.

In the past I have given users a lot of access by making them a program with a menu so they can do specific actions. This allowed me to check all input they gave.

Mat000111
  • 21
  • 1
  • thanks but as i mentioned, the user i'm talking about must have all kind of commands, so it seems rather pointless to list all the commands he might use -if that even works- what i'm looking for is that i give him root privileges except for changing passwords – Ghaith Mansour Apr 26 '16 at 12:42
  • 2
    If you give him or her vi, chmod, tar, or any shell to name a few commands then you are wide open and any thing you do is simply an illusion of security. I had a security person ask me about this type of thing and he said the user only had tar and a few other commands. I broke in using tar in seconds. You need to approach this from a different direction. Why would you allow someone root access if you don't trust them to not change passwords. Some kind of configuration management system could help track changes so at least you would know what they are doing. – Mat000111 Apr 26 '16 at 12:48
  • thanks a lot, i know i'm being a little bit demanding, but i was wondering if i can do it to raise security to the maximum trust might be the answer this time :) – Ghaith Mansour Apr 26 '16 at 12:52
2

You can't restrict and enforce sudo to "allow everything except ..." period.

If you want to prevent a somebody with local sudo/root rights from changing user passwords they shouldn't be stored on that system and you would typically set up a central authentication database, such as a LDAP directory, Kerberos, IPA server etc.

HBruijn
  • 72,524
  • 21
  • 127
  • 192