Title: Secure administrative access tool for Linux - runas

KBTAG: kben10000014
URL: http://www.securityportal.com/lskb/10000000/kben10000014.html
Date created: 14/03/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: sudo - a secure administrative access tool for Linux
Keywords: Administration/Tools, Administration/Root

Summary:

To do almost any administrative function in Linux one requires root (privileged) access. Unfortunately the built in mechanisms that can be used to grant this type of access are relatively weak. The primary tool is "su" which lets you run a shell as another user, unfortunately you need the other user's password, so everyone you want to grant root access will have the password and unrestricted access. A slightly more fine grained tool is the setuid or setgid bit, if this is set on a file, then the file runs as the user or group that owns it (typically root). Managing file permissions, and ensuring there are no bugs in the program that can be used to gain full root access is difficult at best. For an overview please see knowledge base article kben10000011.

More information:

runas allows you give users and groups privileged access to commands in a limited manner. You create a config file listing the command, who it runs as, and which users or groups are allowed to run it as such. In addition to this however you can restrict the use of options (arguments), and you can prompt the user for a reason (which is logged to syslog). This is one of my favorite features, as with a little training, you can have your admin staff documenting what they do in a relatively painless fashion (i.e.: “wanted to reboot server because of memory leak”).

Downloads:

http://www.mindspring.com/~carpinello/runas/index.html