There is already a utility built-in to Linux and Unix systems called "sudo" that does exactly this. The sudo utility is a command line tool that allows users to have temporary root access with their own user ID without having to log in as root.
The other nice thing about sudo, besides that it's already available on the *nix family of systems, is its flexibility. Users are only allowed root access temporarily -- usually only the duration of their session -- and only to the functionality the sys-admin grants them. So, in other words, using sudo doesn't give the user free rein of the system where he or she might have unauthorized access or could cause damage to operating system files.
The sudo utility comes with a configuration file, "sudoers," which resides in the "/etc," where configuration files are stored in most Linux distributions. The "sudoers" configuration file specifies who can use sudo and what they're allowed to access. Specific users can be added as line entries to the configuration file.
The sudoers file can be configured manually but should be updated using a tool called "visudo." Otherwise, manual changes will be overwritten by visudo.
As for accountability, sudo logs all of its activity in a file called "sudo.log," which is usually located in the "/var/log" directory with other log files. The sudo log file lists the names of users who access sudo with a timestamp, as well as the host they logged in from and the commands that they used.
The sudo utility is the best option to allow root access by users with their own IDs and, at the same time, log their access and provide accountability for their activities.
- Learn how LDAP has evolved beyond Linux/Unix footprints.
- Read more tips on dealing with the challenges behind operational integeration of security and network management.
This was first published in April 2008