Hi Experts,
Need your support
Redhat 6.5
I want to create a user with all(read, write, execute) privileges except that user should not be able to create any new user from his login
to perform any task.
Off the top of mu head, this seems contradictory. If you have read, write, and execute on any file, that means new user creation is possible. If you employ ACL's and block this special user from accessing files then what happens when the user employs setfacl (or whatever tool) to undo your change to the ACL?
Instead of telling us HOW you think this task needs to be done, please tell us WHAT problem you are trying to fix.
Note: Linux system roles are beginning to receive support, I think the concept was demonstrated well in Solaris 10. I do not know how robust the support of roles using Ansible is in your version of RH.
Check your documentation for Ansible
1 Like
Absolutely! If someone is allowed to do "everything" then everything it is - no less!
I remember a former customer took away root privileges for a certain system from us system administrators but because we were still supposed to edit a certain file owned by root (!) they created a sudo rule for us:
myuser ALL=(ALL) vi /path/to/some/dir/*
They wondered why we still became root whenever we needed to and probably still are wondering, LOL!
I don't know Solaris too well but RBAC (Role Based Access Control) is available in AIX for about 10-15 years. I would strongly prefer jumping out of the next available window to using it, though. It makes the administration of a system practically impossible (yes, i know all the "but"s - i still stand by what i said). My advice: stay away as far as you can. If you can't do it with standard UNIX privileges it isn't worth doing and/or your model is plain wrong.
I hope this helps.
bakunin
1 Like
Hi Jim,
i want to create one user and do not want that user to run userdel and useradd command.
Only intention is to prevent user from running useradd and userdel commands only on Redhat 7.2
other than this , he can be able to perform anyother task.
In short user should not be able to execute useradd and userdel command from his login.
--- Post updated at 11:39 AM ---
Hi Bakunin,
Thank you for such a nice explanation.
Apologies as i know i am asking the same question again. But need help on this to understand more
But is there any way/command if we can disable only two commands(useradd and userdel) for any particular user.
we don't want user to create and delete any user on he system
I want to create one user and do not want that user to run userdel and useradd command on system
Only intention is to prevent user from running useradd and userdel commands only on Redhat 7.2
other than this , he can be able to perform anyother task.
In short user should not be able to execute useradd and userdel command from his login.
We are not being obtuse, being overly literal, or blocking you. We're telling you that your question is nonsensical. You cannot stop root from being root. Period. Full stop. Any measures you use to stop them, they have full access to undo themselves, by definition.
For instance, useradd and userdel aren't magic -- they edit files. Block them and they can just edit the files by hand, or install something else for the purpose. Block access to the files and bad things will happen since the system needs these files.
You will have to approach the problem from another angle. Rather than 'limit what root can do', you will need to very precisely specify what they are actually allowed to do, and permit that in a non-root user via sudo.
5 Likes
Hi All,
Thank you very much for your time and effort you have put in for this post.
Your response and positive comments values a lot for me.
I tried the below to achieve what i want to some extent.
This is exactly the thing we talked about: what you did can easiy be undone by the person you tried to block. Here, i am allowed to do "everything but" some commands, so i use another command (here: visudo ) to remove the rule you just edited into /etc/sudoers to edit it out again. After this your carefully crafted limitation of my possibilities doesn't exist any more.
Or, as Corona688 said, i simply leave the limitation in place and use vi to edit /etc/passwd (and probably some shadow files, depending on your system and its setup) directly to do manually what useradd and userdel do automatically. I won't even need these commands to create or remove users.
Or i could, using the still allowed command su , switch to another user and execute useradd and userdel from there.
Or i could use cp to copy a shell executable somewhere, use chmod to set its sticky bits, then execute it as my user and could still execute the forbidden command because inside the shell i have a different effective user ID and the limitation won't apply to me any more.
Or i could ...
What you did was to carefully lock one door - but leaving open hundreds of others leading to the same room. If you want to prevent me from getting into there it doesn't matter if i have 100 or only 99 options available.
Bottom line: what you have is NOT a solution, not even a partial one and we are trying to tell you exactly that for several posts now. You are of course free to ignore this advice but what is the point of asking in first place if you refuse to hear the answer because you don't like it?
I hope this helps.
bakunin
2 Likes
A handful of the easiest ways cha can still add users on your system:
# Make a shell do it
sudo sh -c 'useradd'
# Put it in a script and run it
echo 'useradd' > nicetry.sh ; chmod +x nicetry.sh ; sudo $PWD/nicetry.sh
# Put it in a script and make a shell do it
echo 'useradd' > nicetry.sh ; sudo bash $PWD/nicetry.sh
# Duplicate the command to something sudoers hasn't blocked
sudo ln /usr/sbin/useradd /usr/sbin/nicetry ; sudo nicetry
# Install something else
sudo apt-get install alternate-utility ; sudo alternate-utility
# manually edit password files
sudo vi /etc/passwd ; sudo vi /etc/shadow
# edit sudoers to give yourself permissions
sudo visudo
# mount other folder on top of /etc. Even an unwritable filesystem won't stop this one!
sudo mount --bind /fake-etc /etc
Your screen door is leaking. You blocked one pinhole. There's 10,000 more for you to find and plug individually.
2 Likes
Hi Bakunin,
Thanks for the detailed information.
Your response helped me lot to gain knowledge on this topic/issue
Yes you are right, there are other ways as well to undo the changes i have done and to add and delete user.
I have informed the same to customer and told that we can't limit the user until he has all the rights.
If you carefully re-read the posts above you will see that Corona688 already adressed that: instead of giving a user all rights (in fact that means he can become the root user, which is allowed to do everything) and then (try to) take away the rights you don't want him to have you should look at it differently from the start:
What does the user have to do and precisely which rights does he need for that?
Once you answered this question (not to me - to yourself) you can start thinking about ways to give the user exactly these rights - and nothing more. Instead of giving out all rights and then taking back some you only give out what is absolutely necessary in the first place.
If you tell us about your (long-term) goals - that is, what is the user account supposed to do - we can help you come up with ways to achieve that. It is perhaps possible to do it but just not in the way you tried.
I hope this helps.
bakunin
1 Like
I know this might be a daft question, but why would you want to share a very powerful account with someone else but leave one thing out. Either you trust them, or you don't. Don't give privileges to anyone for anything unless you are happy that they are safe to do the thing and that they can't escape and do something else.
I might be paranoid, but not only did we keep all users as 'ordinary' and with (full path) scripted sudo rules but for things with user accounts (even password resets) we intercepted the official code and added our own logging. People in the security group which are already allowed to do such things ended up being logged so we could at least trace it back. You learn to be paranoid in a financial company where someone managed to get another user's password rest and then performed fraudulent actions (i.e. I've seen the death certificate, pay out the life assurance) as someone else.
Basically, only give the minimum required to do the job. Don't just allow them in with total access if they don't need it or because it's convenient and saves having to define appropriate security rules on your data.
Security is usually like birth control methods - people don't like them and try to avoid using them but if you get caught out, it is too late. Prevention (or abstinence) is better than remedial action or just living with the consequences.
You need to ask yourself very carefully what they actually need. Be extremely cautious.
Just my thoughts.
Can you tell us more about what they really need to do?
Robin
2 Likes