Skip to main content

Allowing users to run commands as root without sudo

A never ending problem when you run Linux in the enterprise, is security (and stability) of the systems and access control to allow users, contractors, developers to install software and create or tweak configurations so that some application or service runs. Ideally, only you the sysop can install or configure software and everyone else has to turn to

Using sudo, you can define tons of ways for users or groups to be able to run (or not) some commands on some or all systems. You can setup that they may run commands as other users without needing their password. Or you can turn off passwords all together. However, as soon as you start building a list of commands that a certain user or user group can or cannot run, you create the possibility for knowledgeable hackers users to work their way around your system by creating loopholes, symbolic links or abuse buffer overflows.

Perhaps, we should all use sudo to allow or deny general access to machines or users and use consolehelper to create ways for non-root users to run certain commands and give the means to DBAs to start/stop their own databases or application servers (read Apache, Jboss, Tomcat, etc.)

Consolehelper ties in with PAM to give you native, built-in, modular, Linux security that is almost infinitely configurable. You can use local user accounts, LDAP, NIS or any combination of limiting or allowing uses to do drastic things.
Labels:

Comments

Post a Comment

Popular posts from this blog

Tuning the nscd name cache daemon

I've been playing a bit with the nscd now and want to share some tips related to tuning the nscd.conf file. To see how the DNS cache is doing, use nscd -g. nscd configuration: 0 server debug level 26m 57s server runtime 5 current number of threads 32 maximum number of threads 0 number of times clients had to wait yes paranoia mode enabled 3600 restart internal passwd cache: no cache is enabled [other zero output removed] group cache: no cache is enabled [other zero output removed] hosts cache: yes cache is enabled yes cache is persistent yes cache is shared 211 suggested size <==== 216064 total data pool size 1144 used data pool size 3600 seconds time to live for positive entries <==== 20 seconds time to live for negative entries
2 comments
Read more

Preventing PuTTY timeouts

Just found a great tip to prevent timeouts of PuTTY sessions. I'm fine with timeouts by the host, but in our case the firewall kills sessions after 30 minutes of inactivity... When using PuTTY to ssh to your Linux/Unix servers, be sure to use the feature to send NULL packets to prevent a timeout. I've set it to once every 900 seconds, i.e. 15 minutes... See screenshot on the right.
1 comment
Read more

Setting up SR-IOV in RHEL6 on PowerEdge servers

Dell Community : "RHEL 6 provides SR-IOV functionality on supported hardware which provides near native performance for virtualized guests. Single-Root I/O Virtualization (SR-IOV) specification, introduced by PCI-SIG details how a single PCIe device can be shared between various virtualization guests. Devices capable of SR-IOV functionality support multiple virtual functions on top of the physical function. Virtual Function is enabled in hardware as a light weight PCIe function. Operating System cannot discover this function as it does not respond to the PCI bus scan and requires support in the host’s driver. As in PCIe pass-through, a Virtual function of a SR-IOV capable card can be directly assigned to the guest operating system. A virtual function driver running in the guest manages this device."
3 comments
Read more