Can I pick on one thing about giving root access to users. Quite often a user requires to customise his workstation settings, like display, mouse configuration or print queues etc. But in doing so, the user will be prompted for the root password. That is even the case when the user has been given full access with visudo. What will you do to get round this? -----Original Message----- From: Darryl Gregorash [mailto:raven@accesscomm.ca] Sent: 04 March 2005 01:39 To: suse-linux-e@suse.com Subject: Re: [SLE] root access to user it clown wrote:
Hi All,
How would you give root access to another user on a suse box?
sudo You can set it up so users have limited access, just to a few specific commands, without them having to have the root password. You can give trusted users global root access, with or without the root password. It's all in 'man sudo' and 'man sudoers' (the second of these tells you how to configure the /etc/sudoers file). Personally, I would not add anyone to the root group because it opens the system to damage if there is a security compromise, but sudo really isn't much better, if you allow anyone to have global access without the root password. You're just limiting your exposure by limiting who has access and how they can obtain it.
If you joined the linux box to a w2k domain. How would you give the administrator user root access on the linux box?
You can do all this in Samba, but unless you are using at least one of SSL authentication and encrypted passwords in your domain, I would not use Samba at all (I have a pathological hatred of anything to do with NetBIOS, and I will not apologize to anyone for it :-) ). Just map "root = admin administrator" in your Samba username map file. For this to work, the root password on the Linux box probably will have to be the same as the administrator's domain password. If you are not using either SSL or password encryption, then set up ssh -- do NOT allow root logins -- add a user for that admin, and give him the root password so he can 'su -' to a root login shell. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Chiu, PCM (Peter) wrote:
Can I pick on one thing about giving root access to users.
Quite often a user requires to customise his workstation settings, like display, mouse configuration or print queues etc.
1) KDE Control Center/Desktop/Size and Orientation - if the system is fully set up at admin level, all the available screen resolutions are there, and root access is not required. Did you mean anything else here? 2) Control Center/Peripherals/Mouse - same thing here too, is there anything else you need to do? 3) ditto/Printers - there is quite a lot you can change for real printers (not stuff like printing to file, or sending a fax of course), and for most users, I cannot see what more access they need. If the system is configured by the admin to give access to all the printers available to the users on the system, users don't need to do very much more at all. They certainly aren't going to be adding new printers that a network admin doesn't want them to use. Maybe a user might like to design a custom banner though, and I can't see a way to do that. I don't use any other desktops, so I don't know of equivalent options in any of those, eg. Gnome. If they aren't available at all in your favourite desktop, complain to the authors :-)
But in doing so, the user will be prompted for the root password. That is even the case when the user has been given full access with visudo.
What will you do to get round this?
Fire the admin that didn't properly set up the system? :-) PS, I do not need a pesonal copy of messages sent to the list, and I certainly do not send out receipt returns.
-----Original Message----- From: Darryl Gregorash [mailto:raven@accesscomm.ca] Sent: 04 March 2005 01:39 To: suse-linux-e@suse.com Subject: Re: [SLE] root access to user
it clown wrote:
Hi All,
How would you give root access to another user on a suse box?
sudo
You can set it up so users have limited access, just to a few specific commands, without them having to have the root password. You can give trusted users global root access, with or without the root password. It's all in 'man sudo' and 'man sudoers' (the second of these tells you how to configure the /etc/sudoers file). Personally, I would not add anyone to the root group because it opens the system to damage if there is a security compromise, but sudo really isn't much better, if you allow anyone to have global access without the root password. You're just limiting your exposure by limiting who has access and how they can obtain it.
If you joined the linux box to a w2k domain. How would you give the administrator user root access on the linux box?
You can do all this in Samba, but unless you are using at least one of SSL authentication and encrypted passwords in your domain, I would not use Samba at all (I have a pathological hatred of anything to do with NetBIOS, and I will not apologize to anyone for it :-) ). Just map "root = admin administrator" in your Samba username map file. For this to work, the root password on the Linux box probably will have to be the
same as the administrator's domain password.
If you are not using either SSL or password encryption, then set up ssh -- do NOT allow root logins -- add a user for that admin, and give him the root password so he can 'su -' to a root login shell.
participants (2)
-
Chiu, PCM (Peter) -
Darryl Gregorash