"dubaisans dubai" <[EMAIL PROTECTED]> wrote:
>I would like to give root user privileges to a set of OS
>administrators. Everyone has individual user-ids on the system.
>Currently they login with their personal ID and then SU to root. I
>donot want to share root password with these many people.
>
>I am thinking of adding all these users to the "root" group[GID 0].
>Will it provide root-equivalent UID O access to these users. If not
>why ? Does the "root" group not have root user-id equivalent
>privileges?
>
>Is it possible manually to make the GID 0 privileges equivalant of UID O?
>
>How else can I give these individual users root privileges - make all
>of them UID 0 or something.? Is that a smart idea?
>
>I am looking at something simpler than SUDO or RBAC
Group ID 0 has no significance in any Unix-like system (Solaris, Linux,
...). If you look in the manuals, the raised privileges belong to a
process with (effective) UID of 0 - root. (If you ever used the Zilog
Zeus operating system - say 20 years ago - then the super-user there was
not 'root' but 'zeus' - kind of appropriate, really - but it was zeus who
had UID of 0.) The POSIX specification always talks about 'appropriate
privileges' but it is usually translated as 'root privileges' (and that
means 'EUID = 0').
If you prefer, you can create multiple user names each allocated the user
ID of 0 and a separate password. Just make sure 'root' is listed first in
the password file. This is a widely used technique (in the companies
where I've worked, anyway). Just remember that the processs accounting
system won't be able to distinguish these users from each other - their
processes will all look as if they were run by root.
root:x:0:0:Root:/:/bin/ksh
admin1:x:0:0:First Administator:/root:/bin/ksh
admin2:x:0:0:Second Administrator:/root:/bin/ksh
...
Using 'sudo' has advantages - it can log when people start working as
root.
--
Jonathan Leffler ([EMAIL PROTECTED])
STSM, Informix Database Engineering, IBM Information Management Division
4100 Bohannon Drive, Menlo Park, CA 94025-1013
Tel: +1 650-926-6921 Tie-Line: 630-6921
"I don't suffer from insanity; I enjoy every minute of it!"
