Ask the Expert

How to prevent users from sharing root passwords

For maintenance purposes, the root password is being used for our Linux/Unix systems. I would like support users to have their own IDs with root privilege so they aren't sharing a root password, and I can have accountability and they can't delete system logs of their own activities. Is this possible?

    Requires Free Membership to View

There is already a utility built-in to Linux and Unix systems called "sudo" that does exactly this. The sudo utility is a command line tool that allows users to have temporary root access with their own user ID without having to log in as root.

The other nice thing about sudo, besides that it's already available on the *nix family of systems, is its flexibility. Users are only allowed root access temporarily -- usually only the duration of their session -- and only to the functionality the sys-admin grants them. So, in other words, using sudo doesn't give the user free rein of the system where he or she might have unauthorized access or could cause damage to operating system files.

The sudo utility comes with a configuration file, "sudoers," which resides in the "/etc," where configuration files are stored in most Linux distributions. The "sudoers" configuration file specifies who can use sudo and what they're allowed to access. Specific users can be added as line entries to the configuration file.

The sudoers file can be configured manually but should be updated using a tool called "visudo." Otherwise, manual changes will be overwritten by visudo.

As for accountability, sudo logs all of its activity in a file called "sudo.log," which is usually located in the "/var/log" directory with other log files. The sudo log file lists the names of users who access sudo with a timestamp, as well as the host they logged in from and the commands that they used.

The sudo utility is the best option to allow root access by users with their own IDs and, at the same time, log their access and provide accountability for their activities.

More information:

This was first published in April 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: