[TriLUG] Limited Access User Account
gami at d10systems.com
Sat Sep 17 12:33:39 EDT 2005
Jon Carnes wrote:
> Looking at some of the examples it seems like the setup is for a user to
> do system maintenance/administration on system without compromising the
> security of user files/accounts (Paranoid Pointy-Haired Bosses don't
> like the fact that a sysadmin can read their all to valuable files)
> Is this the problem you are trying to solve?
Essentially, yes. Its actually a complicated situation. We're trying to
get a junior fellow to get limited access to one of our servers, and the
idea is to delegate him tasks one by one, and give him enough access to
do just those things. Giving him more access than that might make him
curious and by mistake he might someday mess up something critical.
Keeping him isolated on a non-production server doesnt help much, coz
eventually this fellow will have administer these servers. In my
opinion, all this paranoid approach might not be needed, as regular
backups etc can bring us back in case of any mess up, but the Paranoid
Pointy-Haired Bosses dont want this guy to get access till whenever.
So now its my responsibility to give him restricted access.
> Have you looked at using something like Webmin to admin the servers in
> question? You can severely limit root access and only have normal
> Admins use web-based tools for monitoring/maintaining the services.
> Just wondering if a different approach might not be more profitable.
I like the idea of webmin, and it will solve my problem to a certain
extent. but then this guy still wouldnt know the command line ways of
quickly doing things and identifying problems. In my opinion being able
to work on command line to get any administrative task completed is
needed for any system administrator at any level. any comments ?
PS: Thanks to everyone else who gave insightful information into setting
up a restricted shell. I didnt think it would be as complicated as it
More information about the TriLUG