Re: root group in solaris : Tools



sodo provides logging, and commands suck as /bin/sh etc can be put into
a group in /etc/sudoers and forbidden. then add users to the wheel
group who need sudo access. of course there are ways around the
forbidden things. you can be specific with which commands they can run
so that they don't write shell scripts and run them with sudo to bypass
the forbidden binaries.



Cmnd_Alias SHELLS = /sbin/sh,\
/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh,\

/usr/bin/sh,/usr/bin/csh,/usr/bin/tcsh,/usr/bin/ksh

Cmnd_Alias FORBIDDEN = /bin/passwd root,/bin/su,/sbin/su

%wheel ALL = (ALL) ALL,!SHELLS,!FORBIDDEN


dubaisans dubai wrote:

What is the suggestion on using a tool like Powerbroker from Symark.
The tool claims to centralise the "sudo" function and also provide
logging? Does anyone have feedback on this tool or any other third
party tool in the same space?


On 9/19/06, Suzanne Widup <Suzanne.Widup@xxxxxxxxxxx> wrote:

Have you looked at implementing sudo? It's a root delegation tool and
would give you some better accountability as to what people are doing.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of dubaisans dubai
Sent: Monday, September 18, 2006 5:50 AM
To: focus-sun@xxxxxxxxxxxxxxxxx
Subject: root group in solaris

Hi,

I would like to give root user privileges to a set of OS administrators.
Everyone has individual user-ids on the system.
Currently they login with their personal ID and then SU to root. I donot
want to share root password with these many people.

I am thinking of adding all these users to the "root" group[GID 0].
Will it provide root-equivalent UID O access to these users. If not why
? Does the "root" group not have root user-id equivalent privileges?

Is it possible manually to make the GID 0 privileges equivalant of UID
O?

How else can I give these individual users root privileges - make all of
them UID 0 or something.? Is that a smart idea?

I am looking at something simpler than SUDO or RBAC


"MMS <safeway.com>" made the following annotations.
------------------------------------------------------------------------------

Warning:
All e-mail sent to this address will be received by the Safeway
corporate e-mail system, and is subject to archival and review by
someone other than the recipient. This e-mail may contain
information proprietary to Safeway and is intended only for the use
of the intended recipient(s). If the reader of this message is not
the intended recipient(s), you are notified that you have received
this message in error and that any review, dissemination,
distribution or copying of this message is strictly prohibited. If
you have received this message in error, please notify the sender
immediately.

==============================================================================






--
Mike Kuriger
Sr. Systems Engineer
WarnerBros Online
818-977-8198
m@xxxxxx
aim - mikekuriger



Relevant Pages

  • Re: user(s) question
    ... has su privileges. ... only sudo works. ... member of the admin group and can use sudo to gain root privilege. ... check if you can use sudo from that new account. ...
    (Ubuntu)
  • Re: Best solution for silly error?
    ... Initially I ran with one user, with admin privileges etc. ... ROOT. ... With Ubuntu, 'root' does not have a password ... Instead one *has* to use sudo. ...
    (Ubuntu)
  • Re: Best solution for silly error?
    ... Initially I ran with one user, with admin privileges etc. ... ROOT. ... Instead one *has* to use sudo. ... I believe MacOSX works much like Ubuntu, with the first user created given ...
    (Ubuntu)
  • Re: root group in solaris
    ... someone with sudo rights to ALL like this can easily get ... This will let anyone in the 'wheel' group to have 'root' sudo ... system if you want them to have those privileges. ...
    (Focus-SUN)
  • Re: user(s) question
    ... check if you can use sudo from that new account. ... NK> More precisely sudo privileges because the root account is locked ...
    (Ubuntu)