Restricting Root Access via .k5users
|
Often it is desired to give the ability to grant root access to users for
the sole purpose of restarting specific services or to only execute a
handful of commands. The lazy way out is to either request a
<usernname>/root@FNAL.GOV
Kerberos principal (which potentially can expose the Kerberos password
since the user will have to kinit to this principal) and place that
entry in roots .k5login file, or simply place the users real Kerberos
principal in roots .k5login file. The problem with these types of setups
is that the user can become root and perform any function that root can
perform, which may not always be desired (and certainly not
recommended!). There is an easier way to allow someone to execute
specified commands as root WITHOUT the ability to execute arbitrary
commands.
Similar to the .k5login file, there exists a .k5users file which allows you to define a Kerberos principal and what commands are allowed to be executed as root.
.k5users format: <user1>@FNAL.GOV /bin/ls /usr/local/apache/bin/apachectl
In the above example, <user1>@FNAL.GOV will be allowed to execute
both /bin/ls and /usr/local/apache/bin/apachectl. To use this feature as a user, simply append the '-e' flag to ksu: $ ksu -e /usr/local/apache/bin/apachectl If the user attempts to execute a command that they are not authorized for, they will receive an error: % ksu -e /bin/cat |
|
For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by TR on July 13, 2006. (Address comments about page to the Computer Security Team.) |
