Professional Web Applications Themes

root equivalent user - Linux Setup, Configuration & Administration

Hi! VERY new to Linux, so please be patient with me! I work for an ISP, and I have setup a dedicated Redhat Linux 9 server for a client. We would like to reserve the root user for our support staff to help the client later. However, the client needs a "root equivalent" account to manage their server. Is there a way to provide a given user account with the equivalent privileges that root has? Thanks! Ed...

  1. #1

    Default root equivalent user

    Hi! VERY new to Linux, so please be patient with me!

    I work for an ISP, and I have setup a dedicated Redhat Linux 9 server for a
    client. We would like to reserve the root user for our support staff to
    help the client later. However, the client needs a "root equivalent"
    account to manage their server.

    Is there a way to provide a given user account with the equivalent
    privileges that root has?

    Thanks!
    Ed



    Ed Guest

  2. #2

    Default Re: root equivalent user

    Ed <efrasherhostdepot.com> wrote:
    > Is there a way to provide a given user account with the equivalent
    > privileges that root has?
    Besides what already said, you can create another account with
    uid 0 and it will be like root.

    Davide
    Davide Bianchi Guest

  3. #3

    Default Re: root equivalent user

    On Tue, 05 Aug 2003 17:21:59 +0000, Davide Bianchi wrote:
    > Ed <efrasherhostdepot.com> wrote:
    >> Is there a way to provide a given user account with the equivalent
    >> privileges that root has?
    >
    > Besides what already said, you can create another account with
    > uid 0 and it will be like root.
    And that is a very **bad** idea.

    Dave Uhring Guest

  4. #4

    Default Re: root equivalent user


    "Dave Uhring" <daveuhring> wrote in message
    news:pan.2003.08.05.17.36.08.586596...
    > > Besides what already said, you can create another account with
    > > uid 0 and it will be like root.
    >
    > And that is a very **bad** idea.
    I've not heard of this being done before, but it does have a hackish sound
    to it. Why does this work, and why is it a bad idea?


    David Harris Guest

  5. #5

    Default Re: root equivalent user

    David Harris <gte972zmail.gatech.edu> wrote:
    > "Dave Uhring" <daveuhring> wrote in message
    > news:pan.2003.08.05.17.36.08.586596...
    >> > Besides what already said, you can create another account with
    >> > uid 0 and it will be like root.
    >>
    >> And that is a very **bad** idea.
    > I've not heard of this being done before, but it does have a hackish sound
    > to it. Why does this work, and why is it a bad idea?
    Some utilities (not many, none I can think of) rely on root = 0. Two
    entries foe one uid risks getting the wrong username. Anyway, it's a
    abad idea because the whole idea of uids is that they're unique.

    Peter
    Peter T. Breuer Guest

  6. #6

    Default Re: root equivalent user

    On Tue, 05 Aug 2003 20:48:31 +0200, Peter T. Breuer wrote:
    > David Harris <gte972zmail.gatech.edu> wrote:
    >
    >> "Dave Uhring" <daveuhring> wrote in message
    >> news:pan.2003.08.05.17.36.08.586596...
    >>> > Besides what already said, you can create another account with
    >>> > uid 0 and it will be like root.
    >>>
    >>> And that is a very **bad** idea.
    >
    >> I've not heard of this being done before, but it does have a hackish sound
    >> to it. Why does this work, and why is it a bad idea?
    >
    > Some utilities (not many, none I can think of) rely on root = 0. Two
    > entries foe one uid risks getting the wrong username. Anyway, it's a
    > abad idea because the whole idea of uids is that they're unique.
    Doing that provides yet another root account which might be compromised
    and provides -no- additional functionality.

    If the admin of that machine cannot remember root's password (s)he can
    always boot in single user mode and correct that problem. If the toor
    account, as it's known in BSD, has an easy to remember password then it is
    more easily cracked; the attacker then has full root access.

    Dave Uhring Guest

  7. #7

    Default Re: root equivalent user

    Dave Uhring wrote:
    > If the admin of that machine cannot remember root's password (s)he can
    > always boot in single user mode and correct that problem.
    ....yes, in the case that the admin remembers LILO's password (at least on my
    systems, LILO asks password if you try to do anything else than normal
    boot). Otherwise it's the long way 'round (get a boot disk, go to bios and
    enable booting from disk -- and oh yeah, reset bios since its password was
    forgotten, too...)

    -Timo

    --
    Timo Voipio | Helsinki, Finland | ICBM at: 60 11.800 N 024 52.760 E
    GeekCode ver 3: GU>CC d s-: a--- C++ UL(+)$>+++$ P+>+++ L++(+) E- W++ N++
    o? K? w O M- V- PS PE Y+ PGP+ t 5++ X R tv- b++(++++) DI+ D G e- h! r !y
    Remove +newsharvested to e-mail me | Poista +newsharvested jos meilaat

    Timo Voipio Guest

  8. #8

    Default Re: root equivalent user

    Dave Uhring <daveuhring> wrote:
    > And that is a very **bad** idea.
    Everytime you have to give to someone almost-root-permissions is a bad
    idea. But this is what has been asked.

    Davide
    Davide Bianchi Guest

  9. #9

    Default Re: root equivalent user

    On Tue, 05 Aug 2003 22:20:42 +0300, Timo Voipio wrote:
    > Dave Uhring wrote:
    >
    >> If the admin of that machine cannot remember root's password (s)he can
    >> always boot in single user mode and correct that problem.
    >
    > ...yes, in the case that the admin remembers LILO's password (at least on my
    > systems, LILO asks password if you try to do anything else than normal
    > boot). Otherwise it's the long way 'round (get a boot disk, go to bios and
    > enable booting from disk -- and oh yeah, reset bios since its password was
    > forgotten, too...)
    Not relevant to the addition of another user with UID=0.

    If the admin cannot remember lilo's password then that individual cannot
    boot the system anyway. Adding another "root" user helps nothing there.

    Dave Uhring Guest

  10. #10

    Default Re: root equivalent user

    On Tue, 05 Aug 2003 19:31:51 +0000, Davide Bianchi wrote:
    > Dave Uhring <daveuhring> wrote:
    >> And that is a very **bad** idea.
    >
    > Everytime you have to give to someone almost-root-permissions is a bad
    > idea. But this is what has been asked.
    ACL's and sudo provide the necessary permissions with minimal risk.

    ANY account with UID=0, whether named as root or not, has -full- access to
    the system.

    Dave Uhring Guest

  11. #11

    Default Re: root equivalent user

    Dave Uhring wrote:
    > On Tue, 05 Aug 2003 19:31:51 +0000, Davide Bianchi wrote:
    >
    >
    >>Dave Uhring <daveuhring> wrote:
    >>
    >>>And that is a very **bad** idea.
    >>
    >>Everytime you have to give to someone almost-root-permissions is a bad
    >>idea. But this is what has been asked.
    >
    >
    > ACL's and sudo provide the necessary permissions with minimal risk.
    >
    > ANY account with UID=0, whether named as root or not, has -full- access to
    > the system.
    >
    Also I think "wheel" group authentication can be enabled via PAM,
    that would allow certain users to use "su" and supply their own
    password.

    Historical note:
    I don't think it applies to Linux but on some Unixes, small UIDs
    less than 100) have special privledges. I remember for SysV certain
    system accounts needed particular UIDs to work correctly. The same
    is (or was) true for GIDs. (On Solaris only member of group #14
    can use the system management console.)

    -Wayne

    Wayne Guest

  12. #12

    Default Re: root equivalent user

    David Harris wrote:
    > "Dave Uhring" <daveuhring> wrote in message
    > news:pan.2003.08.05.17.36.08.586596...
    >
    >>>Besides what already said, you can create another account with
    >>>uid 0 and it will be like root.
    >>
    >>And that is a very **bad** idea.
    >
    >
    > I've not heard of this being done before, but it does have a hackish sound
    > to it. Why does this work, and why is it a bad idea?
    It's very old and very common. Permissions are not based on your
    username: they're based on your uid, which gets looked up via your
    username way deep in the glibc library functions and kernel.

    Unfortunately, it gives that user complete but slightly skewed access to
    every part of hte system.

    Nico Kadel-Garcia Guest

  13. #13

    Default Re: root equivalent user

    On Tue, 05 Aug 2003 16:37:37 -0400, Wayne wrote:
    > Also I think "wheel" group authentication can be enabled via PAM,
    > that would allow certain users to use "su" and supply their own
    > password.
    The BSDs have su access restricted to the wheel group, but the password is
    root's. That access is hard coded in the su source, at least in OpenBSD.
    OpenBSD, btw, does not have 'toor' as a default user as does FreeBSD, nor
    should it.
    > Historical note:
    > I don't think it applies to Linux but on some Unixes, small UIDs
    > less than 100) have special privledges. I remember for SysV certain
    > system accounts needed particular UIDs to work correctly. The same
    > is (or was) true for GIDs. (On Solaris only member of group #14
    > can use the system management console.)
    Group 14 is correct, but it is admintool which is enabled for the sysadmin
    group by default. RBAC (Role Based Access Control) provides finer grained
    access. RBAC is not historical, though. It was implemented first in
    Solaris 8 IIRC, FCS date of Feb 2000, and is present in Solaris 9 and
    10-beta.

    Dave Uhring Guest

  14. #14

    Default Re: root equivalent user

    Dave Uhring wrote:
    > Not relevant to the addition of another user with UID=0.
    Relevant in the way that you cannot always assume that you can simply boot
    into single user.
    > If the admin cannot remember lilo's password then that individual cannot
    > boot the system anyway. Adding another "root" user helps nothing there.
    Please look at man 5 lilo.conf and the option "restricted". It enables the
    system to boot without password; password is only required when using
    options on LILO command line (such as single).

    -Timo

    --
    Timo Voipio | Helsinki, Finland | ICBM at: 60 11.800 N 024 52.760 E
    GeekCode ver 3: GU>CC d s-: a--- C++ UL(+)$>+++$ P+>+++ L++(+) E- W++ N++
    o? K? w O M- V- PS PE Y+ PGP+ t 5++ X R tv- b++(++++) DI+ D G e- h! r !y
    Remove +newsharvested to e-mail me | Poista +newsharvested jos meilaat

    Timo Voipio Guest

  15. #15

    Default Re: root equivalent user

    On Wed, 06 Aug 2003 00:58:26 +0300, Timo Voipio wrote:
    > Dave Uhring wrote:
    >
    >> Not relevant to the addition of another user with UID=0.
    >
    > Relevant in the way that you cannot always assume that you can simply boot
    > into single user.
    Which has -nothing- to do with a UID=0 user who is not root. The lilo
    code is -not- part of the OS; it resides on absolute sector 0 of the drive
    or sector 0 of the / partition of the Linux installation.
    > Please look at man 5 lilo.conf and the option "restricted". It enables the
    > system to boot without password; password is only required when using
    > options on LILO command line (such as single).
    Is that password the same as root's on the system? Is it the same as some
    other UID=0 user's? The man page certainly does not specify that.

    Please demonstrate the value of adding an extra UID=0 user.

    Dave Uhring Guest

  16. #16

    Default Re: root equivalent user

    Dave Uhring wrote:
    > On Wed, 06 Aug 2003 00:58:26 +0300, Timo Voipio wrote:
    >
    >
    >>Dave Uhring wrote:
    >>
    >>
    >>>Not relevant to the addition of another user with UID=0.
    >>
    >>Relevant in the way that you cannot always assume that you can simply boot
    >>into single user.
    >
    >
    > Which has -nothing- to do with a UID=0 user who is not root. The lilo
    > code is -not- part of the OS; it resides on absolute sector 0 of the drive
    > or sector 0 of the / partition of the Linux installation.
    Actually, you can stuff it anywhere the BIOS or other preceding boot
    loaders can find it. At the beginning of the only partition marked
    "active" is quite common, and for dual-booting Windows systems many
    folks but the a copy of the LILO "master boot loader" or MBR, which is
    what the LILO system creates, as a file on a Windows file system and use
    it as a Windows boot option. That last trick is handy when you are
    installing dual boot systems and various options keep ing away your MBR.

    Now, for real fun and games and to be a complete , start hiding
    these little gems in different locations on an installation and let some
    poor beggar have to clean up after you....

    Nico Kadel-Garcia Guest

  17. #17

    Default Re: root equivalent user

    On Tue, 05 Aug 2003 22:47:02 +0000, Nico Kadel-Garcia wrote:
    > Dave Uhring wrote:
    >> Which has -nothing- to do with a UID=0 user who is not root. The lilo
    >> code is -not- part of the OS; it resides on absolute sector 0 of the drive
    >> or sector 0 of the / partition of the Linux installation.
    >
    > Actually, you can stuff it anywhere the BIOS or other preceding boot
    > loaders can find it. At the beginning of the only partition marked
    > "active" is quite common, and for dual-booting Windows systems many
    > folks but the a copy of the LILO "master boot loader" or MBR, which is
    > what the LILO system creates, as a file on a Windows file system and use
    > it as a Windows boot option. That last trick is handy when you are
    > installing dual boot systems and various options keep ing away your MBR.
    Indeed, I mentioned only the most usual installation locations.

    Nonetheless, none of this discussion about lilo has one thing to do with
    the benefits of creating a second user with UID=0. The lilo binary is
    irrelevant to the execution of the OS; it merely boots it and has no
    knowledge of users listed in /etc/passwd or their UIDs.

    Dave Uhring Guest

  18. #18

    Default Re: root equivalent user

    "Ed" <efrasherhostdepot.com> wrote in message news:<iQQXa.9712$Ee7.1018fe02.atl2.webusenet.com> ...
    > Hi! VERY new to Linux, so please be patient with me!
    >
    > I work for an ISP, and I have setup a dedicated Redhat Linux 9 server for a
    > client. We would like to reserve the root user for our support staff to
    > help the client later. However, the client needs a "root equivalent"
    > account to manage their server.
    >
    > Is there a way to provide a given user account with the equivalent
    > privileges that root has?
    >
    > Thanks!
    > Ed
    Use sudo for this
    Xyerp Guest

Similar Threads

  1. FMS2 and non-root user
    By Clem in forum Macromedia Flash Flashcom
    Replies: 0
    Last Post: March 2nd, 08:40 PM
  2. deleted root user
    By Cteodor in forum MySQL
    Replies: 1
    Last Post: January 29th, 04:37 PM
  3. level0, root and parent Director equivalent ?
    By Phil Cote webforumsuser@macromedia.com in forum Macromedia Director Lingo
    Replies: 6
    Last Post: September 8th, 03:43 PM
  4. root crontab run as different user
    By Martin Glora in forum Linux / Unix Administration
    Replies: 5
    Last Post: August 11th, 11:57 AM
  5. Secure Normal User <--> Root Communication
    By Michael B Allen in forum UNIX Programming
    Replies: 9
    Last Post: July 7th, 07:58 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139