Limit Linux/root-possibility to one admin at a time
up vote
0
down vote
favorite
For a Linux (RHEL7) host on which multiple admin's have 'sudo -i' root-possibility, is there an easy way to force that only one of them may use this privilege at a time?
I.e. what I want; if one admin is root by 'sudo -i', another admin that tries this at the same time will be rejected - until the first admin exit's.
Or is using a (local?) password-vault-ish solution the only way?
linux
asked 2 days ago
Ulli
1
New contributor
Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
0
down vote
favorite
For a Linux (RHEL7) host on which multiple admin's have 'sudo -i' root-possibility, is there an easy way to force that only one of them may use this privilege at a time?
I.e. what I want; if one admin is root by 'sudo -i', another admin that tries this at the same time will be rejected - until the first admin exit's.
Or is using a (local?) password-vault-ish solution the only way?
linux
asked 2 days ago
Ulli
1
New contributor
Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Does this work? limit users
– number9
2 days ago
It is a question for other topics - ethics, moral or somthing like this. If you include some users intosudoersyou must believe, that they are at a sufficient level of decent behavior. They can immediately after login askwhoorwto see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.
– schweik
2 days ago
Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
21 hours ago
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
For a Linux (RHEL7) host on which multiple admin's have 'sudo -i' root-possibility, is there an easy way to force that only one of them may use this privilege at a time?
I.e. what I want; if one admin is root by 'sudo -i', another admin that tries this at the same time will be rejected - until the first admin exit's.
Or is using a (local?) password-vault-ish solution the only way?
linux
asked 2 days ago
Ulli
1
New contributor
Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
For a Linux (RHEL7) host on which multiple admin's have 'sudo -i' root-possibility, is there an easy way to force that only one of them may use this privilege at a time?
I.e. what I want; if one admin is root by 'sudo -i', another admin that tries this at the same time will be rejected - until the first admin exit's.
Or is using a (local?) password-vault-ish solution the only way?
linux
linux
asked 2 days ago
Ulli
1
New contributor
Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
Ulli
1
New contributor
Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
Ulli
1
New contributor
Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
Ulli
1
asked 2 days ago
Ulli
1
1
New contributor
Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Does this work? limit users
– number9
2 days ago
It is a question for other topics - ethics, moral or somthing like this. If you include some users intosudoersyou must believe, that they are at a sufficient level of decent behavior. They can immediately after login askwhoorwto see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.
– schweik
2 days ago
Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
21 hours ago
add a comment |
Does this work? limit users
– number9
2 days ago
It is a question for other topics - ethics, moral or somthing like this. If you include some users intosudoersyou must believe, that they are at a sufficient level of decent behavior. They can immediately after login askwhoorwto see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.
– schweik
2 days ago
Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
21 hours ago
Does this work? limit users
– number9
2 days ago
Does this work? limit users
– number9
2 days ago
It is a question for other topics - ethics, moral or somthing like this. If you include some users into
sudoers you must believe, that they are at a sufficient level of decent behavior. They can immediately after login ask who or w to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.– schweik
2 days ago
It is a question for other topics - ethics, moral or somthing like this. If you include some users into
sudoers you must believe, that they are at a sufficient level of decent behavior. They can immediately after login ask who or w to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.– schweik
2 days ago
Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
21 hours ago
Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
21 hours ago
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Ulli is a new contributor. Be nice, and check out our Code of Conduct.
Ulli is a new contributor. Be nice, and check out our Code of Conduct.
Ulli is a new contributor. Be nice, and check out our Code of Conduct.
Ulli is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f482998%2flimit-linux-root-possibility-to-one-admin-at-a-time%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Does this work? limit users
– number9
2 days ago
It is a question for other topics - ethics, moral or somthing like this. If you include some users into
sudoersyou must believe, that they are at a sufficient level of decent behavior. They can immediately after login askwhoorwto see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.– schweik
2 days ago
Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
21 hours ago