We are having a little problem on a server. We want that some users should be able to do e.g. sudo and become root, but with the restriction that the user can't change root password. That is, a guarantee that we still can login to that server and become root no matter of what the other users will do.
Is that possible?
(Linux 3.2.0-57-generic #87-Ubuntu SMP)
One way to do it is to disable "su" and "passwd" access in sudoers, for example like this:
user ALL=(ALL) ALL, !/usr/bin/passwd, !/usr/bin/su
Then tell user to run the commands that he needs executed as root by prefixing them with "sudo".
It will not prohibit manually editing the /etc/shadow file though...
.... or editing the /etc/sudoers file and the user can take off the restrictions again.
How about you ask exactly what is needed and only permit that with sudo rules. Be sure not to allow access to anything that the user can escape from, e.g. by giving vi, then user can probably :sh to get to a command prompt as the executing user.
Other things sudo as ftp can also be used to run local shell commands too. You have to be very careful.
Perhaps there is a need for not giving root access to the user. Ask what needs to be done, get it scripted and tested, then make the script Read-Only to them, but have it owned by root and set the SUID flag with:-
chown root:group yourscript
chmod 4750 yourscript
Make sure that the world cannot execute the script and set the group to be a restricted as you can. perhaps even create a group for just this use.
i hope that this helps or at least gives you something to consider.
Robin
Liverpool/Blackburn
UK