Creating a user account to install apps other than root

Hi Guys,

I have a Centos 5.6 64-bit Linode and I am having to provide access to developers and architects to install and configure Apache/PHP/MySql/Drupal, etc…packages.

I don't want to give them the root username and password. What privileges should the new user account have in order to accomplish the above tasks.

At some point they may need the root user account, is there a Sudo option in Centos.

Thanks.

16 Replies

Install the "sudo" package if not already installed and that will do all you need. "sudo" is much more than just an application to run commands as root, you can do a lot with it in terms of configuration.

Take a look at the man page for "sudoers", from there you can easily configure individual users or groups to run specific commands (such as restarting Apache) as root (or as another user) with their own password.

Keep in mind that giving a user sudo permission is identical to giving them the root username and password. It even lets them change the root password, and they can su to root using "sudo su -" without having the root password.

@Guspaz:

Keep in mind that giving a user sudo permission is identical to giving them the root username and password. It even lets them change the root password, and they can su to root using "sudo su -" without having the root password.

Not entirely true. "sudo" is not a program for running commands as root, it's a program for running commands as a different user, which by default in most/all places seems to be root.

You can very, very easily configure "sudo" via the "sudoers" file to give permission for 1 user to run only 1 command as root.

So if you give 1 user permission to run "sudo apache2ctl graceful", that is all they can ever do as root (or what ever user configured)

As soon as you're giving a user root permission to do anything, you've opened that door. In the case of many apps, they may provide their own ways to escape into a root shell. sudo can't actually prevent that, since noexec doesn't work on statically linked binaries.

Apps that let you escape into a shell may not even be obvious. The 'less' command does, you would just need to type "! sh" and boom, root shell, although there are other ways. The 'more' command is similar, are are most text editors.

For example, strictly restricting the user to apache2ctl is not enough. They can set environment variables to point apache2ctl at a custom config file that loads any executable code they want, or if they want to do it user-friendly-like, they can use it to run php as root; if you control the apache configuration, getting a root shell is easy. Yes, you can restrict environment variables in the sudoers list, but this just illustrates how dangerous it is to give someone root access to anything.

Guys,

Thanks for the detailed information.

I have gone through the sudoers config file and I have added the following at the end of the file.

User_Alias ADMINS = username

ADMINS ALL = LOCATE

But, its not working. I log in remotely as that username but executing sudo prompts for a password and no matter what password i enter, it doesn't let me in.

I am giving this access to developers and I know them well. So, i don't see them misusing the server. They may also have to fine tune the OS at some stage. I don't want to share the root user account but need an alternative.

I think, if the user is able to execute sudo bash, he gets into root shell, correct me if am wrong. Probably, this could also avoid the user to type sudo for each and every command.

How do i configure this?

Thanks,

I run Ubuntu on my servers, and Ubuntu has disabled direct access to the root account (you can't "su -") by default. So I've gotten in the habit of running "sudo su -" to get a root prompt…

I have somehow configured the sudoers file and the user can execute commands to install applications.

But, he is able to execute sudo bash, how can i restrict this only?

Avinash

If you give them sudo because you want them to have some root privileges, as Guspaz said, you're opening the door. Either you trust them with that access or you don't. The problem is human not technical. Have they earned your trust enough for you to give them that level of access to your server? If so give them sudo.

You said you might want them to do other things on server, so don't tie their hands (not that really can anyway), if you trust them. If you don't trust them, log them in and watch over their shoulder while they're logged in as root.

Thats what I meant, I am ok giving them sudo access. But, I don't want them to execute sudo bash. Coz, this makes them root and even the prompt becomes [email protected] How do i restrict this?

Avinash

It's impossible. On Ubuntu, you can tell apt-get to run post-invoke commands (such as "bash"). I don't see an easy way to do it with Yum in CentOS, but you can always create a package that does so and install it with yum.

In short, if you give somebody sudo access, assume they have full root access.

Hmm..

I am asking this bcoz, i see cmd_aliases option in sudoers file. So is it possible to restrict only "Sudo bash" command for a particular user/group. I believe that when there's an option to assign privileges/permissions to users/groups for only one command, the other way round should also be possible.

Thanks for your time.

Avinash

@Guspaz:

It's impossible. On Ubuntu, you can tell apt-get to run post-invoke commands (such as "bash"). I don't see an easy way to do it with Yum in CentOS, but you can always create a package that does so and install it with yum.

In short, if you give somebody sudo access, assume they have full root access.

You don't seem to be listening to what people are trying to tell you. You can configure sudo however you want, but you need to realize that once you give someone partial root with sudo, they can very easily get full root access. This applies even more when you attempt to only block one command.

TL;DR: It is not possible to securely prevent someone from running bash using sudo config options, while letting them do other things with sudo.

To be fair it is trivial to obtain root access even without sudo access. That's why you must be careful about giving anybody SSH access without severely limiting the users abilities.

@carmp3fan:

To be fair it is trivial to obtain root access even without sudo access. That's why you must be careful about giving anybody SSH access without severely limiting the users abilities.

No, it's not, unless you're running a kernel with known root exploits.

What this means then is that someone that manages his account all by himself doesn't need to be bordered by this. Anyway I was thinking keeping my wordpress site on the root has a negative implication.
But so far Ii intend to run only one wordpress site I think am cool with that.
Or anything wrong with that?

@skd4 --

You write:

Anyway I was thinking keeping my wordpress site on the root has a negative implication.

What does this mean? On the root filesystem? Unless you're paying for block storage, you don't have much choice but to keep your site's files on the root file system ;-). It's been a long time since I've installed wordpress but, as I recall, it gets installed using the user for the web server. You have to create a MySQL user for wordpress too (which is the owner of all the database tables).

But so far I intend to run only one wordpress site I think am cool with that.

You can manage a wordpress site without being the superuser.

Having superuser privileges in Unix/Linux is an-all-or-nothing proposition…not like Windoze where are 4 different account types with a zillion different combinations of privileges…some of which supplement and some of which override (this is one of THE MOST ANNOYING things about Windoze!)…which EVERYONE circumvents by making every account an Administrative account.

A user with superuser privileges can destroy your system…without any tracks. If you don't trust someone with superuser privileges, don't hand them out.

You all need to be careful about using the words "privilege" and "permission" interchangeably. These are two different things…

-- sw

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct