[TriLUG] Limited Access User Account

Barry Gaskins barry.gaskins at gmail.com
Sun Sep 18 21:43:44 EDT 2005 

 It sounds like you should probably give this guy either a restricted shell 
account or a regular account with set up with sudo permissions for a limited 
number of commands. I think sudo logs the stuff he tries to do but I am not 
familiar with restricted shell. Sit down and talk to him and tell him what 
his limits are and tell him that his every move is logged and what the 
consequences of stepping over the bounds are.

You want to give this guy the opportunity to learn his job. If you just give 
him webadmin rights then he will not learn his job or if he is really good 
then he may be insulted that you do not trust him at all. If you maintain 
good backups then if he screws up with the limited access you give him then 
you should be able to recover. If he is really evil then logging should be 
able to detect what he is up to in case you suspect he is up to something 
bad. But in that case then give himself enough rope to hang himself if he is 
so inclined. If he is a good apple then let him prove himself. If he is a 
bad apple then it is better to discover it now than when he is given full 
admin rights.

- Barry Gaskins


On 9/17/05, Dhruv Gami <gami at d10systems.com> wrote:
> 
> Jon Carnes wrote:
> > Looking at some of the examples it seems like the setup is for a user to
> > do system maintenance/administration on system without compromising the
> > security of user files/accounts (Paranoid Pointy-Haired Bosses don't
> > like the fact that a sysadmin can read their all to valuable files)
> >
> > Is this the problem you are trying to solve?
> 
> Essentially, yes. Its actually a complicated situation. We're trying to
> get a junior fellow to get limited access to one of our servers, and the
> idea is to delegate him tasks one by one, and give him enough access to
> do just those things. Giving him more access than that might make him
> curious and by mistake he might someday mess up something critical.
> Keeping him isolated on a non-production server doesnt help much, coz
> eventually this fellow will have administer these servers. In my
> opinion, all this paranoid approach might not be needed, as regular
> backups etc can bring us back in case of any mess up, but the Paranoid
> Pointy-Haired Bosses dont want this guy to get access till whenever.
> 
> So now its my responsibility to give him restricted access.
> 
> > Have you looked at using something like Webmin to admin the servers in
> > question? You can severely limit root access and only have normal
> > Admins use web-based tools for monitoring/maintaining the services.
> >
> > Just wondering if a different approach might not be more profitable.
> 
> I like the idea of webmin, and it will solve my problem to a certain
> extent. but then this guy still wouldnt know the command line ways of
> quickly doing things and identifying problems. In my opinion being able
> to work on command line to get any administrative task completed is
> needed for any system administrator at any level. any comments ?
> 
> regards,
> Gami
> 
> PS: Thanks to everyone else who gave insightful information into setting
> up a restricted shell. I didnt think it would be as complicated as it
> really is.
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
>

More information about the TriLUG mailing list