KBTAG: kben10000013
URL: http://www.securityportal.com/lskb/10000000/kben10000013.html
Date created: 14/03/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: runas - a secure administrative access
tool for Linux
Keywords: Administration/Tools,
Administration/Root
To do almost any administrative function in Linux one requires root (privileged) access. Unfortunately the built in mechanisms that can be used to grant this type of access are relatively weak. The primary tool is "su" which lets you run a shell as another user, unfortunately you need the other user's password, so everyone you want to grant root access will have the password and unrestricted access. A slightly more fine grained tool is the setuid or setgid bit, if this is set on a file, then the file runs as the user or group that owns it (typically root). Managing file permissions, and ensuring there are no bugs in the program that can be used to gain full root access is difficult at best. For an overview please see knowledge base article kben10000011.
Super can be used to give certain users (and groups) varied levels of access to programs. In addition to this you can specify times and allow access to scripts. Debian ships with super, and there are binary packages and source available. This is a very powerful tool, but requires a significant amount of effort to implement properly (like any powerful tool), and I think it is worth the effort. Some example config files are usually in the /usr/doc/super-xxx/ directory. The primary distribution site for super is at:
ftp://ftp.ucolick.org/pub/users/will/