[ale] Access Control Challenge

Michael D. Hirsch mhirsch at nubridges.com
Wed May 26 16:44:42 EDT 2004


On Tue, 2004-05-25 at 17:17, Thomas Wood wrote:
> One of my first experiments.  DBA still needs access to the account, 
> but can only do so by using sudo.  The solution I've decided to use is 
> change the user password so that only I know it.  This will force 
> everybody who wants to become that user to sudo.  My DBAs won't be 
> happy but they'll adjust.

Even better, destroy the password by prepending 'x' to it in
/etc/passwd.  Then you can't log in with a password.  You can set it so
you can log in with an ssh key, or root can su to that user.  sudo also
can work, but logins are impossible.

Michael

> thanks everybody,
> wood
> On May 24, 2004, at 5:31 PM, Danny Cox wrote:
> 
> > Thomas,
> >
> > On Sun, 2004-05-23 at 01:17, Thomas Wood wrote:
> >> Has
> >> anyone else found a more elegant solution?  I'd really like to keep my
> >> DBAs in the loop, password-wise, but they don't need the password and 
> >> I
> >> think I can prevent them from changing it.
> >>
> >> Any thoughts?  And no, tcp wrappers doesn't let you filter by 
> >> username.
> >>   Oh that it did.  Also, I'm trying to avoid installing a firewall on 
> >> my
> >> DB, so please, no filter rulesets.
> >
> > 	Will passwd -l (see man 1 passwd) do?  It "locks" the account, only
> > allowing root to gain access.  It may close the door too much, though.
> >
> > -- 
> > kernel, n.: A part of an operating system that preserves the
> > medieval traditions of sorcery and black art.
> >
> > Danny
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> >
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale



More information about the Ale mailing list