Root access to NON-administrators

[ttutor]

I am being asked, as an IT professional (Unix OS - SUN and RS/6000), to allow multiple personnel in another department to the ability to run full root commands in order to fulfill their jobs as storage administrators (EMC). I am looking for some help in identifying the impacts and security vulnerabilities of allowing this to happen.

Any input would be appreciated.

 

[SgtB]

Impacts and vulnerabilities? Well you're allowing non-admins to log on as roots essentially. That's always very bad. The only important 'vulnerability' is that they can really really screw things up if they make a mistake (which will happen in one form or another...trust me)

If I were you I'd find another way to for these people to get the job done. ________________________________________
Check out

http://www.security-forums.com

 

[pansophic]

You're in luck. Being that you are running *nix OSs, you can install sudo, which allows you to control access to root commands, without giving users the root password. The configuration file allows you to specify which directory(ies) and/or executables the user is allowed to use. They use their own password to execute the command, and each use is written to the syslog.

Just beware allowing access to all of /bin because it is trivial to execute a shell with sudo, giving the user an unlogged root shell.

http://www.sudo.ws/sudo/

It sounds as if these guys are administrators, but you don't want to allow them to have uninhibited (or especially unlogged) root sessions.

Good luck!
pansophic