How can you prevent root password change on linux?

ssh security linux sudo

I'm setting up a server which other people will have sudo access to via ssh. They can install stuff and make changes as they see fit, however I still need to manage the server, install patches and software updates etc.

I'm wondering if I keep the root password so that I can always do what I need to, can I somehow disable people with sudo from being able to change it with sudo.


You have to think about it like this. If you give them the root password, or a route to it, you're essentially asking "how can I give them root except for all the times when I magically don't want them to have it". And the answer is "you can't. Computers don't work that way."


You can selectively allow certain commands with sudo, but you must be careful to not permit programs that allow shell access, writing to sym links, or one of a few dozen other problems. Here's a page on secure sudo scripting: http://www.kramse.dk/projects/unix/security-sudo-script_en.html

You could always hope that they don't know about the chattr command ;-)


I think the answer here depends on whether you are trying to stop them from maliciously changing the password to keep you out, or just carelessly getting the password because they forgot you need access. In the former case you are going to have a lot of trouble. I don't know under what circumstance you would give users root access to the box but still be worried about this, but the best you can do is try to limit their access to commands through sudo, which as others mentioned is tricky at best. In the latter case it seems like the solution would be to create yourself a user with sudo privileges. No one is going to accidentally change the password on your account so you don't have to worry about someone just making a mistake, or even changing the password for a good reason and forgetting to tell you about it because you can always get in with your account and change it back.


SELinux can do what you're looking for, although it's like using a nuclear-powered planet-smashing battleax to swat a fly, or whatever the Hitchhiker's quote actually is. If you're set on Linux rather than Solaris (and its shiny RBAC), the easiest-to-implement option will likely to be to configure sudo to only allow the commands necessary.

Related

Pain removing a perl rootkit
Is nginx suited for serving PDFs?
Can RHEL6 servers be "copied"?
Could you please explain this DNS configuration to me?
What consequences / implications can arise from a wrong system clock?
How do I check how many HTTP connections are open currently? [closed]
How can I add myself to apache group?
Run a script from anywhere
Grep-ing gzipped files [duplicate]
Cheap but Highly Available Shared Storage? [closed]
So what do we use instead of PartitionMagic now that Symantec's killed it? [closed]
Does Active Directory support DNS names with spaces?