Solved

More Than One root

Posted on 1999-01-15
13
318 Views
Last Modified: 2010-04-21
How Do I give 3 users root permissions on a UNIX System ?

I mean full root permission.

I tried putting these users in the root (GID 0) group, but it does not seem to work. Itried putting them in the sys group but it still does not work.

any ideas ?
0
Comment
Question by:mohammedg
  • 4
  • 2
  • 2
  • +5
13 Comments
 

Expert Comment

by:tgreaser
ID: 2008729
I would keep the group Idea...  Its just that you need to change the rights that group has

do a man on chmod chgrp and umask.... What OS are you running..?
0
 

Expert Comment

by:tgreaser
ID: 2008730
heres a program to do this
http://www.courtesan.com/cour tesan/products/sudo/
0
 

Expert Comment

by:rajeevm
ID: 2008731
Hello,
their are lot of was if you want to give root permission to any user , one very simple way is to make user id off all the user '0'in /etc/passwd file , then all of them will become root but now their will be no distinction between all the (root) users. can u tell me why u want to make three user as root ?so that i can tell you some other way to achive your goal .
Thanks & Regards,
Rajeev Mishra
0
 
LVL 1

Author Comment

by:mohammedg
ID: 2008732
Thank you but I already know about sudo, I think su does the same job as well. But what I need is flexibility like the windows NT Administration groups. In which you can add a user to the Admin group and make that user an adminstrator. I need to do this because some times I have to assign an administration job to another user if I am away or too busy. The OS's that we run are IRIX 6.x and SOlaris 2.5.x.
0
 

Expert Comment

by:mfarnam
ID: 2008733
If want -full- root permission, you need uid 0.  You can have any username you want, but uid 0 = root.
0
 
LVL 1

Author Comment

by:mohammedg
ID: 2008734
O.K. user id 0 seems to work but again as rajeevm has said that there will be no distinction between all the (root) users.

If there is no way to distinguish between all the root users, then I will have to live with the above, and split the points between rajeevm and mfarnam (any body knows how I can split the points) ?


0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Expert Comment

by:spunkinheimer
ID: 2008735
If you want to give them full root privileges why not just give them the root password and let them use su as necessary?
0
 
LVL 2

Expert Comment

by:blowfish
ID: 2008736
sudo is your best bet.  

You probably want to be able to give access to root, and then take it back later.  If you give the root password, and allow users to "su - root" then you will need to change the root password each time you want to drop somebody from the list of users allowed to "su - root", and of course, notify the remaining users of the change.  

Creating multiple users with UID 0 is not such a good idea either.  You would have the same amount of overhead required to manage it as if you gave the root password out.  You would need to modify their UID to be 0 to give root, and then change it back to remove root.  What about files that they might need to create for themselves, while they have root, you would need to chown the files back to the user's original UID or they would not be able to modify them (this may or may not be an issue in your particular case).  

However, there are important security implications against both giving root password, and seting multiple users to UID 0.  The more people that know the root password, the more chance that the password will get leaked to unauthorized people.  If you set multiple users to UID 0, then there are more chances that if your box gets hacked that one of the hacked accounts will be one of the root accounts.  Can you be sure that your users will use a strong password, that they haven't already given it to somebody else, or written it down on a sticky-note taped to their monitor, etc...

Sudo allows you to keep the root password a secret.  You do not need to set multiple UID's to zero.  You can easily control who has root privelege by including or excluding them from a group (/etc/group) that is allowed to use sudo to get a root shell.  This gives you better control.  Sudo also allows a fine granularity of root acccess.  You can allow users or groups to run only a sub-set of commands as root.  Each time a command is used by a sudo user it is logged, giving you an excellent audit trail.  "su - root", and UID 0 solutions do not give you the audit trail.  

We have been successfully using sudo here for over 2 years, on about 20 systems that we manage.  We have deplayed sudo on client systems that we manage, and allow them restricted root access, with logging.  

I hope that this information helps you make your decision.  

Cheers,

--frankf
0
 
LVL 2

Expert Comment

by:khaled022498
ID: 2008737
blowfish, has explaned the solution in a very good way, thank you blowfish.
0
 
LVL 1

Author Comment

by:mohammedg
ID: 2008738
I agree with blowfish, and thank you blowfish, I still have not tested it yet (too busy), but I will take your word for it.

How can I give the blowfish the 40 points for this question ?

Blowfish can answer the question, and I will accept his answer.
0
 
LVL 2

Accepted Solution

by:
blowfish earned 40 total points
ID: 2008739
This answer allows mohammedg to award points for previously entered comments regarding use of sudo.  
0
 
LVL 1

Author Comment

by:mohammedg
ID: 2008740
The Points are yours, keep up the good work.
0
 

Expert Comment

by:what9
ID: 2008741
If you want them to be root it is easy.
Give them the root password and let them su
the root - wheel group - don't forget to kill them
rememebr you life on the line. If you are in a corp you better
get something in writting !!


0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now