[TriLUG] Limited Access User Account

Sun Sep 18 22:55:45 EDT 2005

On Sat, 2005-09-17 at 12:33, Dhruv Gami wrote:
> Jon Carnes wrote:
> > Looking at some of the examples it seems like the setup is for a user to
> > do system maintenance/administration on system without compromising the
> > security of user files/accounts (Paranoid Pointy-Haired Bosses don't
> > like the fact that a sysadmin can read their all-too-valuable files)
> > 
> > Is this the problem you are trying to solve?
> 
> Essentially, yes. Its actually a complicated situation. We're trying to 
> get a junior fellow to get limited access to one of our servers, and the 
> idea is to delegate him tasks one by one, and give him enough access to 
> do just those things. Giving him more access than that might make him 
> curious and by mistake he might someday mess up something critical. 
> Keeping him isolated on a non-production server doesnt help much, coz 
> eventually this fellow will have administer these servers. In my 
> opinion, all this paranoid approach might not be needed, as regular 
> backups etc can bring us back in case of any mess up, but the Paranoid 
> Pointy-Haired Bosses dont want this guy to get access till whenever.
> 
> So now its my responsibility to give him restricted access.
> 
> > Have you looked at using something like Webmin to admin the servers in
> > question?  You can severely limit root access and only have normal
> > Admins use web-based tools for monitoring/maintaining the services.
> > 
> > Just wondering if a different approach might not be more profitable.
> 
> I like the idea of webmin, and it will solve my problem to a certain 
> extent. but then this guy still wouldnt know the command line ways of 
> quickly doing things and identifying problems. In my opinion being able 
> to work on command line to get any administrative task completed is 
> needed for any system administrator at any level. any comments ?
> 
> regards,
> Gami

I've solved this problem more than a couple of times for various
organizations. There aren't many open-source ways of doing this (for
obvious philosophical reasons).  

The path of least resistance (cheapest fix) is to never actually hand
the root password over to the guy, but set him up via sudo to do the
various tasks he needs to do. As he proves his abilities increase the
list of things he can do via sudo. You're basically giving him a long
set of tweezers and making him work through some small holes you put in
the wall, but that might be good for his soul (sort of the way that
fasting is).

But give him his own kingdom to rule too. Let him have root access ...
and responsibilities in the Testing lab. Give him root reign over some
vital servers that just don't have user data on them.  He can cut his
command line teeth on those and make his mistakes there as well.

Keep an eye on him by having his (and root's) command_history file
shipped to you every hour. You don't have to actually look at those
emails, but the Pointy-Haired-Boss will feel safer if he thinks you run
a tighter reign on security.

There are also a lot of tools out there for recording file accesses (via
a shell or through an application like Samba). You can use these to
record who/what/when/from-where accessed which files on your systems.
These reports make the PHB feel calmer as well. 

I like to auto-send these via email to the PHB at the end of each day.
After the novelty wears off, he'll never open them again, but each time
he deletes it, he'll have one of those warm glowing power moments.

===
I'm not sure others have mentioned this, but pulling further away from
the command line are various tools that allow individuals to remotely
manage and monitor servers. They cost money, but the tools also have
built in security over who can do what and when. Novell seems to have
the best of these for Linux/Windows integrated shops.

Good luck,

Jon Carnes