How can you prevent root password change on linux?

linux security ssh sudo
17,181

Solution 1

You have to think about it like this. If you give them the root password, or a route to it, you're essentially asking "how can I give them root except for all the times when I magically don't want them to have it". And the answer is "you can't. Computers don't work that way."

Solution 2

You can selectively allow certain commands with sudo, but you must be careful to not permit programs that allow shell access, writing to sym links, or one of a few dozen other problems. Here's a page on secure sudo scripting: http://www.kramse.dk/projects/unix/security-sudo-script_en.html

You could always hope that they don't know about the chattr command ;-)

Solution 3

I think the answer here depends on whether you are trying to stop them from maliciously changing the password to keep you out, or just carelessly getting the password because they forgot you need access. In the former case you are going to have a lot of trouble. I don't know under what circumstance you would give users root access to the box but still be worried about this, but the best you can do is try to limit their access to commands through sudo, which as others mentioned is tricky at best. In the latter case it seems like the solution would be to create yourself a user with sudo privileges. No one is going to accidentally change the password on your account so you don't have to worry about someone just making a mistake, or even changing the password for a good reason and forgetting to tell you about it because you can always get in with your account and change it back.

Solution 4

SELinux can do what you're looking for, although it's like using a nuclear-powered planet-smashing battleax to swat a fly, or whatever the Hitchhiker's quote actually is. If you're set on Linux rather than Solaris (and its shiny RBAC), the easiest-to-implement option will likely to be to configure sudo to only allow the commands necessary.

Solution 5

There are a few options:

  • You could use PAM (Pluggable Authentication Modules) to allow you to log in as root, regardless of what they set the password to. There are a lot of modules available, so I'll just leave this one hanging.
  • You create 'a second root user' by opening /etc/passwd and adding a new user with the same UID as root (0). Then add a password into the /etc/shadow file for that specific user. This will allow you to log in as root and even if they change the password for 'root' - your login still works.
  • Create a shellscript that is run periodically to check if the hash of the root user in /etc/shadow for root matches the one you want it to be. If it's not, the hash is changed back.

As others have pointed out, giving root access will allow them to do absolutely what ever they like on the system and if they really want to lock you out; they can. The options above however make it harder or less transparent to them.

Share:
17,181

Related videos on Youtube

Philipp Jahoda
Author by

Philipp Jahoda

Updated on September 17, 2022

Comments

  • Philipp Jahoda
    Philipp Jahoda over 1 year

    I'm setting up a server which other people will have sudo access to via ssh. They can install stuff and make changes as they see fit, however I still need to manage the server, install patches and software updates etc.

    I'm wondering if I keep the root password so that I can always do what I need to, can I somehow disable people with sudo from being able to change it with sudo.

  • koenigdmj
    koenigdmj almost 15 years
    Then they run chattr -i /etc/shadow with sudo and are back in business.
  • womble
    womble almost 15 years
    In either of those cases -- malice or incompetence -- you really, really, really don't want to be giving them root access at all. +1 for the "keeping a separate sudo-capable account" around.
  • womble
    womble almost 15 years
    Not to mention the fact that it means that no other user can change their password either, which is really bad.
  • David Pashley
    David Pashley almost 15 years
    Wouldn't it be great if they could. I, for one, await the window manager with a Focus-Follows-Mind mode.
  • ThorstenS
    ThorstenS almost 15 years
    I already wrote "prevent THEM to change ANY password". not many sparetime admins know chattr. In the past it was very usefull for me to know and use chattr.
  • Akilan
    Akilan almost 15 years
    Having a separate sudoer account is is a great idea.
  • hayalci
    hayalci almost 15 years
    +1 for chattr, or +i ;)
  • Matt Simmons
    Matt Simmons almost 15 years
    David: Maybe eventually :-) That would be excellent.
  • chris
    chris almost 15 years
    Actually getting the sudo permissions correct to absolutely contain someone is a steep hill. Once I've got a program running as UID 0, I've got just a thin paper wall between me and an actual root shell. Of course, that's assuming clever and hostile users, but still.
  • Andrioid
    Andrioid almost 15 years
    Not really an answer to his question, now is it?
  • Brad Ackerman
    Brad Ackerman almost 15 years
    Just because you're paranoid, it doesn't mean they're not out to get you.
  • Rob Moir
    Rob Moir almost 15 years
    Actually, Andriod, I think it is. Maybe not the answer wanted, but an answer none the less.
  • Sandokas
    Sandokas over 14 years
    You can, any RBAC system allow you to accomplish a similar job. Saying computers don't work that way, computers are done to work the way creators are smart enough to make them do!
  • Sumeet Kashyap
    Sumeet Kashyap over 14 years
    Hmmm.. is it possible to do this with SELinux?
  • MadHatter
    MadHatter almost 9 years
    You might want to hold off on security pronouncements until you learn a bit more. To drive a truck through your rules above, try sudo vi /tmp/foo, then :!/bin/bash, then passwd root.
  • Eric
    Eric almost 9 years
    Yes, this is not a polished solution, but it answers his question.
  • MadHatter
    MadHatter almost 9 years
    My point is it's not a solution at all.. If you were to try to polish it, you'd find out that the observation "you can't" is in fact correct. It's true that you can secure a system with sudo, but you will never manage it by allowing them to do everything-except-the-listed-exceptions. It's literally impossible.
  • Sam
    Sam over 8 years
    Obscurity is not the same as security, thus chattr is not a secure solution.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why should I really disable root ssh login?
make git clone with sudo
"Wrapper" ssh script freezes when executing remote command
How to securely automate running commands as root with "sudo su -"?
How to login ssh without a password using the ssh host key?
Most secure way to access my home Linux server while I am on the road? Specialized solution wanted
How to run multiple sudo commands over already opened ssh connection
Are many sshd/root processes listed by ps, brute force SSH hack attempt?
How to allow anonymous ssh login to a Linux box and only run one program?
ssh config with sudo