mohammedg
asked on
More Than One root
How Do I give 3 users root permissions on a UNIX System ?
I mean full root permission.
I tried putting these users in the root (GID 0) group, but it does not seem to work. Itried putting them in the sys group but it still does not work.
any ideas ?
I mean full root permission.
I tried putting these users in the root (GID 0) group, but it does not seem to work. Itried putting them in the sys group but it still does not work.
any ideas ?
Hello,
their are lot of was if you want to give root permission to any user , one very simple way is to make user id off all the user '0'in /etc/passwd file , then all of them will become root but now their will be no distinction between all the (root) users. can u tell me why u want to make three user as root ?so that i can tell you some other way to achive your goal .
Thanks & Regards,
Rajeev Mishra
their are lot of was if you want to give root permission to any user , one very simple way is to make user id off all the user '0'in /etc/passwd file , then all of them will become root but now their will be no distinction between all the (root) users. can u tell me why u want to make three user as root ?so that i can tell you some other way to achive your goal .
Thanks & Regards,
Rajeev Mishra
ASKER
Thank you but I already know about sudo, I think su does the same job as well. But what I need is flexibility like the windows NT Administration groups. In which you can add a user to the Admin group and make that user an adminstrator. I need to do this because some times I have to assign an administration job to another user if I am away or too busy. The OS's that we run are IRIX 6.x and SOlaris 2.5.x.
If want -full- root permission, you need uid 0. You can have any username you want, but uid 0 = root.
ASKER
O.K. user id 0 seems to work but again as rajeevm has said that there will be no distinction between all the (root) users.
If there is no way to distinguish between all the root users, then I will have to live with the above, and split the points between rajeevm and mfarnam (any body knows how I can split the points) ?
If there is no way to distinguish between all the root users, then I will have to live with the above, and split the points between rajeevm and mfarnam (any body knows how I can split the points) ?
If you want to give them full root privileges why not just give them the root password and let them use su as necessary?
sudo is your best bet.
You probably want to be able to give access to root, and then take it back later. If you give the root password, and allow users to "su - root" then you will need to change the root password each time you want to drop somebody from the list of users allowed to "su - root", and of course, notify the remaining users of the change.
Creating multiple users with UID 0 is not such a good idea either. You would have the same amount of overhead required to manage it as if you gave the root password out. You would need to modify their UID to be 0 to give root, and then change it back to remove root. What about files that they might need to create for themselves, while they have root, you would need to chown the files back to the user's original UID or they would not be able to modify them (this may or may not be an issue in your particular case).
However, there are important security implications against both giving root password, and seting multiple users to UID 0. The more people that know the root password, the more chance that the password will get leaked to unauthorized people. If you set multiple users to UID 0, then there are more chances that if your box gets hacked that one of the hacked accounts will be one of the root accounts. Can you be sure that your users will use a strong password, that they haven't already given it to somebody else, or written it down on a sticky-note taped to their monitor, etc...
Sudo allows you to keep the root password a secret. You do not need to set multiple UID's to zero. You can easily control who has root privelege by including or excluding them from a group (/etc/group) that is allowed to use sudo to get a root shell. This gives you better control. Sudo also allows a fine granularity of root acccess. You can allow users or groups to run only a sub-set of commands as root. Each time a command is used by a sudo user it is logged, giving you an excellent audit trail. "su - root", and UID 0 solutions do not give you the audit trail.
We have been successfully using sudo here for over 2 years, on about 20 systems that we manage. We have deplayed sudo on client systems that we manage, and allow them restricted root access, with logging.
I hope that this information helps you make your decision.
Cheers,
--frankf
You probably want to be able to give access to root, and then take it back later. If you give the root password, and allow users to "su - root" then you will need to change the root password each time you want to drop somebody from the list of users allowed to "su - root", and of course, notify the remaining users of the change.
Creating multiple users with UID 0 is not such a good idea either. You would have the same amount of overhead required to manage it as if you gave the root password out. You would need to modify their UID to be 0 to give root, and then change it back to remove root. What about files that they might need to create for themselves, while they have root, you would need to chown the files back to the user's original UID or they would not be able to modify them (this may or may not be an issue in your particular case).
However, there are important security implications against both giving root password, and seting multiple users to UID 0. The more people that know the root password, the more chance that the password will get leaked to unauthorized people. If you set multiple users to UID 0, then there are more chances that if your box gets hacked that one of the hacked accounts will be one of the root accounts. Can you be sure that your users will use a strong password, that they haven't already given it to somebody else, or written it down on a sticky-note taped to their monitor, etc...
Sudo allows you to keep the root password a secret. You do not need to set multiple UID's to zero. You can easily control who has root privelege by including or excluding them from a group (/etc/group) that is allowed to use sudo to get a root shell. This gives you better control. Sudo also allows a fine granularity of root acccess. You can allow users or groups to run only a sub-set of commands as root. Each time a command is used by a sudo user it is logged, giving you an excellent audit trail. "su - root", and UID 0 solutions do not give you the audit trail.
We have been successfully using sudo here for over 2 years, on about 20 systems that we manage. We have deplayed sudo on client systems that we manage, and allow them restricted root access, with logging.
I hope that this information helps you make your decision.
Cheers,
--frankf
blowfish, has explaned the solution in a very good way, thank you blowfish.
ASKER
I agree with blowfish, and thank you blowfish, I still have not tested it yet (too busy), but I will take your word for it.
How can I give the blowfish the 40 points for this question ?
Blowfish can answer the question, and I will accept his answer.
How can I give the blowfish the 40 points for this question ?
Blowfish can answer the question, and I will accept his answer.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The Points are yours, keep up the good work.
If you want them to be root it is easy.
Give them the root password and let them su
the root - wheel group - don't forget to kill them
rememebr you life on the line. If you are in a corp you better
get something in writting !!
Give them the root password and let them su
the root - wheel group - don't forget to kill them
rememebr you life on the line. If you are in a corp you better
get something in writting !!
do a man on chmod chgrp and umask.... What OS are you running..?