Problem solve Get help with specific problems with your technologies, process and projects.

How to prevent users from sharing root passwords

On a Linux/Unix system, creating user IDs with root privilege who are unable to delete their own system logs is possible with a built-in tool. Identity and access management expert Joel Dubin explains.

For maintenance purposes, the root password is being used for our Linux/Unix systems. I would like support users to have their own IDs with root privilege so they aren't sharing a root password, and I can have accountability and they can't delete system logs of their own activities. Is this possible?

There is already a utility built-in to Linux and Unix systems called "sudo" that does exactly this. The sudo utility is a command line tool that allows users to have temporary root access with their own user ID without having to log in as root.

The other nice thing about sudo, besides that it's already available on the *nix family of systems, is its flexibility. Users are only allowed root access temporarily -- usually only the duration of their session -- and only to the functionality the sys-admin grants them. So, in other words, using sudo doesn't give the user free rein of the system where he or she might have unauthorized access or could cause damage to operating system files.

The sudo utility comes with a configuration file, "sudoers," which resides in the "/etc," where configuration files are stored in most Linux distributions. The "sudoers" configuration file specifies who can use sudo and what they're allowed to access. Specific users can be added as line entries to the configuration file.

The sudoers file can be configured manually but should be updated using a tool called "visudo." Otherwise, manual changes will be overwritten by visudo.

As for accountability, sudo logs all of its activity in a file called "sudo.log," which is usually located in the "/var/log" directory with other log files. The sudo log file lists the names of users who access sudo with a timestamp, as well as the host they logged in from and the commands that they used.

The sudo utility is the best option to allow root access by users with their own IDs and, at the same time, log their access and provide accountability for their activities.

More information:

This was last published in April 2008

Dig Deeper on Password management and policy

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.