Q

How can root and administrator privileges of different systems be delegated on one account?

In this expert response, Joel Dubin discusses how corporations can manage "superuser" accounts by delegating root and administrator privileges.

Our organization makes use of a "superuser" account ("root" in Unix and "administrator" in Windows), but I know such accounts are often one of the most exploited and costly methods of gaining unauthorized system access, since no file, device or command is off limits. Is there a way to maintain these accounts while mitigating the risks?
Both Unix and Windows have a built-in tool that allows users, on a restricted basis, to conduct only specific tasks as an administrator. In Unix, this tool is called "sudo," and in Windows it's called "runas."

On a Unix systems, for example, an ordinary user -- without administrative privileges -- can use "sudo" to run

a utility program that can only be run normally as administrator. The user is only allowed to run that single program as an administrator without being granted higher access for anything else. The same is true for "runas" in Windows. In Unix, the user types "sudo" at the command prompt and is asked for the regular password to their account. In Windows, the user right clicks on the application and chooses "runas" or types "runas" at the command prompt like Unix.

The elevated access is only allowed for running that particular application. Once the user logs out of that application, he/she loses their elevated privileges.

There is a key difference, however, between sudo and runas. Sudo can be finely tuned through the /etc/sudoers property file. Runas can't be customized at the same granular level. The danger with runas is that a malicious user could get access to any application on the system and have complete control of the machine.

Sudo, on the other hand, can be finely tuned to only allow specific users to do certain tasks and, even then, with restrictions. Every user that wants to use sudo has to be added to the sudoers property file and then have the specific privileges spelled out next to the entry with their name.

But there are two caveats with sudo, as well. The sudoers property file should be edited with a tool called visudo, which checks syntax and prevents different administrators from overwriting each other's changes to the file. The other caution is to make sure no user in sudoers is given unlimited administrative access to all applications. That would be the same as giving them full administrative rights and would open the candy store, if the user had malicious intent.

Symark Software offers a commercial product, PowerBroker, to securely delegate root privileges.

For more information:

  • In this expert Q&A, learn how to prevent administrator access to certain documents within a domain group.
  • Application security expert Michael Cobb discusses which tools can keep personally identifiable information (PII) out of access logs.
  • This was first published in November 2007

    Dig deeper on Enterprise User Provisioning Tools

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close