Re: root group in solaris



sudo -s opens a root level shell that can be used to issue multiple
commands. If running in a gui, the admin could even have more than one
shell open and use the root and non-root shells simultaneously for
appropriate commands. That's pretty simple and requires knowledge of only
the user's own password. The only command logged is the command to spawn
the shell, not the commands issued in that shell, unlike the audit trail
that could be kept if commands were issued separately prefixed with sudo.

sudo without the -s option issues a new password challenge when the last
challenge is five minutes old to prevent someone from using a root shell
when an admin steps away without locking his account....not a bad idea.
Can you set the inactivity time limit for sudo?




Casper.Dik@xxxxxx
M
Sent by: To
listbounce@securi dubaisans dubai
tyfocus.com <dubaisans@xxxxxxxxx>
cc
focus-sun@xxxxxxxxxxxxxxxxx
09/18/2006 02:07 Subject
PM Re: root group in solaris











I would like to give root user privileges to a set of OS
administrators. Everyone has individual user-ids on the system.
Currently they login with their personal ID and then SU to root. I
donot want to share root password with these many people.

I am thinking of adding all these users to the "root" group[GID 0].
Will it provide root-equivalent UID O access to these users. If not
why ? Does the "root" group not have root user-id equivalent
privileges?


Is it possible manually to make the GID 0 privileges equivalant of UID O?

No; you could have easily tested this but it has no effect at all.

How else can I give these individual users root privileges - make all
of them UID 0 or something.? Is that a smart idea?

I am looking at something simpler than SUDO or RBAC

Even simpler?

I would still strongly suggest RBAC or sudo as both all your system
administrators to execute programs with appropriate privileges when
needed. Giving them "root privileges all the time" is a bad idea;
it means that they can no longer safely use their user accounts
for email, web browsing or anything else.

Casper



Relevant Pages

  • Re: hi all..
    ... and someone gets access your shell account, ... Only root can install an su binary. ... Of course, if I have sudo ...
    (Fedora)
  • Re: [kde-linux] KDE 4 and monitor powering off.
    ... I changed it so that it would run as root since I have to ... I have sudo configured so my normal user has very limited access (some ... commands, with specific parameters. ... The admin user has full passwordless access to do everything root could ...
    (KDE)
  • Re: Sudo question
    ... even with Rsh ... Subject: Sudo question ... allow sudo to call a restricted shell. ... this command full root access. ...
    (AIX-L)
  • Re: use sudo without having to type password?
    ... > There are lots of very valid reasons for having password-less sudo ... > commands available. ... >> If you have to do anything as root, you should have to type a password ... It should stand as a warning that they're about to ...
    (alt.os.linux)
  • Re: Change Permissions on a new hard drive to allow write...Problem Solved
    ... Please tell how I could have solved the problem without logging in as ... You'd use sudo or one of its graphical derivatives, ... Those three commands could have been used to do everything you did ... logging in as root. ...
    (Ubuntu)