SUMMARY - Local "root" access

From: geoff@csis.dit.csiro.au
Date: Tue Oct 06 1992 - 09:59:06 CDT


"Some" time back I asked:-

> We have a requirement to allow "root" access to specific users on particular
>workstations while still maintaining network wide "root" access via NIS.
>
> I've set this up using the suggestion in Hal Stern's book ("Managing NFS
>and NIS") as follows:
> In /etc/passwd:
> Change the "root" entry to "lroot"
> lroot:*:0:1:(Local Root):/:/bin/csh
> Add +root::0:0::: to just before the end of the file so the user
>"root" is still managed by NIS.
> And added the user to the "wheel" group in /etc/group.
>
> This works pretty well, allowing them to `su lroot` to do their bit but
>not allowing network wide root access.
>
> Unfortunately when this machine is backed up,`rdump` to this machine
>fails with a "login incorrect" message.
>
> All machines are trusted in the network with appropriate netgroups in
>/.rhosts.
> When the "lroot" entries are backed out of /etc/passwd, `rdumps` work OK.
>
> Have I missed something?
> Somewhere in the dump process there must be a user name lookup on the
>dumphost that does not recognise "lroot".
>
> Any suggestions would be greatly appreciated (even comments on `sudo`).
                -----------------------------------------

Most people pointed out that "dumps" don't have to be performed by user "root"
and that a dummy user should be setup belonging to the group "operator"
to perform the backups - worthwhile advice.
        brw-r----- 1 root operator 7, 0 May 28 14:38 sd0a

Unfortunately (there's always a catch) we have DECstations as well as SUNs,
and you guessed it, the DECs have different device permissions, so this
scheme won't work:-
        brw------- 1 root system 21, 0 Sep 2 11:20 rz0a

We havn't really solved the problem, we can however use the "lroot" setup on
workstations that don't have local project space requiring backup. On the one
workstation where this is a problem we've configured `sudo`. We're not
"entirely" happy with sudo and have modified it slightly but are prepared to
live with the result.

Many thanks to:
John D. Barlow <John.D.Barlow@arp.anu.edu.au>
David Fetrow <fetrow@biostat.washington.edu>
David Lee <T.D.Lee@durham.ac.uk>
Eckhard.Rueggeberg@ts.go.dlr.de
bill%grape@uunet.UU.NET (Bill McSephney )
trinkle@cs.purdue.edu
Brent Alan Wiese <brent@crick.ssctr.bcm.tmc.edu>
feldt@phyast.nhn.uoknor.edu (Andy Feldt)
tjt@cirrus.com (Tim Tessin)
Paul Allen <paula@atc.boeing.com>
roberto@phyast.pitt.edu (Roberto Gomez)
kalli!kevin@fourx.Aus.Sun.COM (Kevin Sheehan
Richard Elling <Richard.Elling@eng.auburn.edu>

Regards
Geoff Morrison



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:51 CDT