Hi Guys,

I have a Centos 5.6 64-bit Linode and I am having to provide access to developers and architects to install and configure Apache/PHP/MySql/Drupal, etc...packages.

I don't want to give them the root username and password. What privileges should the new user account have in order to accomplish the above tasks.

At some point they may need the root user account, is there a Sudo option in Centos.

Thanks.

Install the "sudo" package if not already installed and that will do all you need. "sudo" is much more than just an application to run commands as root, you can do a lot with it in terms of configuration.

Take a look at the man page for "sudoers", from there you can easily configure individual users or groups to run specific commands (such as restarting Apache) as root (or as another user) with their own password.

Keep in mind that giving a user sudo permission is identical to giving them the root username and password. It even lets them change the root password, and they can su to root using "sudo su -" without having the root password.

Not entirely true. "sudo" is not a program for running commands as root, it's a program for running commands as a different user, which by default in most/all places seems to be root.

You can very, very easily configure "sudo" via the "sudoers" file to give permission for 1 user to run only 1 command as root.

So if you give 1 user permission to run "sudo apache2ctl graceful", that is all they can ever do as root (or what ever user configured)

As soon as you're giving a user root permission to do anything, you've opened that door. In the case of many apps, they may provide their own ways to escape into a root shell. sudo can't actually prevent that, since noexec doesn't work on statically linked binaries.

Apps that let you escape into a shell may not even be obvious. The 'less' command does, you would just need to type "! sh" and boom, root shell, although there are other ways. The 'more' command is similar, are are most text editors.

For example, strictly restricting the user to apache2ctl is not enough. They can set environment variables to point apache2ctl at a custom config file that loads any executable code they want, or if they want to do it user-friendly-like, they can use it to run php as root; if you control the apache configuration, getting a root shell is easy. Yes, you can restrict environment variables in the sudoers list, but this just illustrates how dangerous it is to give someone root access to *anything*.

Guys,

Thanks for the detailed information.
I have gone through the sudoers config file and I have added the following at the end of the file.

User_Alias ADMINS = username
ADMINS ALL = LOCATE

But, its not working. I log in remotely as that username but executing sudo prompts for a password and no matter what password i enter, it doesn't let me in.

I am giving this access to developers and I know them well. So, i don't see them misusing the server. They may also have to fine tune the OS at some stage. I don't want to share the root user account but need an alternative.

I think, if the user is able to execute sudo bash, he gets into root shell, correct me if am wrong. Probably, this could also avoid the user to type sudo for each and every command.

How do i configure this?

Thanks,

I run Ubuntu on my servers, and Ubuntu has disabled direct access to the root account (you can't "su -") by default. So I've gotten in the habit of running "sudo su -" to get a root prompt...

I have somehow configured the sudoers file and the user can execute commands to install applications.

But, he is able to execute sudo bash, how can i restrict this only?

Avinash

If you give them sudo because you want them to have some root privileges, as Guspaz said, you're opening the door. Either you trust them with that access or you don't. The problem is human not technical. Have they earned your trust enough for you to give them that level of access to your server? If so give them sudo.

You said you might want them to do other things on server, so don't tie their hands (not that really can anyway), if you trust them. If you don't trust them, log them in and watch over their shoulder while they're logged in as root.

Thats what I meant, I am ok giving them sudo access. But, I don't want them to execute sudo bash. Coz, this makes them root and even the prompt becomes root@host. How do i restrict this?

Avinash

It's impossible. On Ubuntu, you can tell apt-get to run post-invoke commands (such as "bash"). I don't see an easy way to do it with Yum in CentOS, but you can always create a package that does so and install it with yum.

In short, if you give somebody sudo access, assume they have full root access.

Hmm..

I am asking this bcoz, i see cmd_aliases option in sudoers file. So is it possible to restrict only "Sudo bash" command for a particular user/group. I believe that when there's an option to assign privileges/permissions to users/groups for only one command, the other way round should also be possible.

Thanks for your time.
Avinash

You don't seem to be listening to what people are trying to tell you. You can configure sudo however you want, but you need to realize that once you give someone partial root with sudo, they can very easily get full root access. This applies even more when you attempt to only block one command.

TL;DR: It is not possible to securely prevent someone from running bash using sudo config options, while letting them do other things with sudo.

To be fair it is trivial to obtain root access even without sudo access. That's why you must be careful about giving anybody SSH access without severely limiting the users abilities.

No, it's not, unless you're running a kernel with known root exploits.