Limit Linux/root-possibility to one admin at a time

up vote
0
down vote

favorite

For a Linux (RHEL7) host on which multiple admin's have 'sudo -i' root-possibility, is there an easy way to force that only one of them may use this privilege at a time?

I.e. what I want; if one admin is root by 'sudo -i', another admin that tries this at the same time will be rejected - until the first admin exit's.

Or is using a (local?) password-vault-ish solution the only way?

asked Nov 20 at 15:44

Ulli

New contributor

Does this work? limit users
– number9
Nov 20 at 16:50

It is a question for other topics - ethics, moral or somthing like this. If you include some users into sudoers you must believe, that they are at a sufficient level of decent behavior. They can immediately after login ask who or w to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.
– schweik
Nov 20 at 16:57

Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
Nov 22 at 9:24

add a comment |

up vote
0
down vote

favorite

For a Linux (RHEL7) host on which multiple admin's have 'sudo -i' root-possibility, is there an easy way to force that only one of them may use this privilege at a time?

I.e. what I want; if one admin is root by 'sudo -i', another admin that tries this at the same time will be rejected - until the first admin exit's.

Or is using a (local?) password-vault-ish solution the only way?

asked Nov 20 at 15:44

Ulli

New contributor

Does this work? limit users
– number9
Nov 20 at 16:50

It is a question for other topics - ethics, moral or somthing like this. If you include some users into sudoers you must believe, that they are at a sufficient level of decent behavior. They can immediately after login ask who or w to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.
– schweik
Nov 20 at 16:57

Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
Nov 22 at 9:24

add a comment |

up vote
0
down vote

favorite

For a Linux (RHEL7) host on which multiple admin's have 'sudo -i' root-possibility, is there an easy way to force that only one of them may use this privilege at a time?

I.e. what I want; if one admin is root by 'sudo -i', another admin that tries this at the same time will be rejected - until the first admin exit's.

Or is using a (local?) password-vault-ish solution the only way?

asked Nov 20 at 15:44

Ulli

New contributor

For a Linux (RHEL7) host on which multiple admin's have 'sudo -i' root-possibility, is there an easy way to force that only one of them may use this privilege at a time?

I.e. what I want; if one admin is root by 'sudo -i', another admin that tries this at the same time will be rejected - until the first admin exit's.

Or is using a (local?) password-vault-ish solution the only way?

linux

asked Nov 20 at 15:44

Ulli

New contributor

asked Nov 20 at 15:44

Ulli

New contributor

asked Nov 20 at 15:44

Ulli

New contributor

asked Nov 20 at 15:44

Ulli

asked Nov 20 at 15:44

Ulli

New contributor

Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Does this work? limit users
– number9
Nov 20 at 16:50

It is a question for other topics - ethics, moral or somthing like this. If you include some users into sudoers you must believe, that they are at a sufficient level of decent behavior. They can immediately after login ask who or w to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.
– schweik
Nov 20 at 16:57

Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
Nov 22 at 9:24

add a comment |

Does this work? limit users
– number9
Nov 20 at 16:50

It is a question for other topics - ethics, moral or somthing like this. If you include some users into sudoers you must believe, that they are at a sufficient level of decent behavior. They can immediately after login ask who or w to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.
– schweik
Nov 20 at 16:57

Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
Nov 22 at 9:24

Does this work? limit users
– number9
Nov 20 at 16:50

It is a question for other topics - ethics, moral or somthing like this. If you include some users into sudoers you must believe, that they are at a sufficient level of decent behavior. They can immediately after login ask who or w to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.
– schweik
Nov 20 at 16:57

Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
Nov 22 at 9:24

add a comment |

active

oldest

votes

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);

);

Ulli is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f482998%2flimit-linux-root-possibility-to-one-admin-at-a-time%23new-answer', 'question_page');

);

Post as a guest

Name

Required, but never shown

active

oldest

votes

Ulli is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Ulli is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

搜尋此網誌

mjhjmtu