Limit Linux/root-possibility to one admin at a time
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
For a Linux (RHEL7) host on which multiple admin's have 'sudo -i' root-possibility, is there an easy way to force that only one of them may use this privilege at a time?
I.e. what I want; if one admin is root by 'sudo -i', another admin that tries this at the same time will be rejected - until the first admin exit's.
Or is using a (local?) password-vault-ish solution the only way?
linux
New contributor
add a comment |
up vote
0
down vote
favorite
For a Linux (RHEL7) host on which multiple admin's have 'sudo -i' root-possibility, is there an easy way to force that only one of them may use this privilege at a time?
I.e. what I want; if one admin is root by 'sudo -i', another admin that tries this at the same time will be rejected - until the first admin exit's.
Or is using a (local?) password-vault-ish solution the only way?
linux
New contributor
Does this work? limit users
– number9
Nov 20 at 16:50
It is a question for other topics - ethics, moral or somthing like this. If you include some users intosudoers
you must believe, that they are at a sufficient level of decent behavior. They can immediately after login askwho
orw
to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.
– schweik
Nov 20 at 16:57
Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
Nov 22 at 9:24
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
For a Linux (RHEL7) host on which multiple admin's have 'sudo -i' root-possibility, is there an easy way to force that only one of them may use this privilege at a time?
I.e. what I want; if one admin is root by 'sudo -i', another admin that tries this at the same time will be rejected - until the first admin exit's.
Or is using a (local?) password-vault-ish solution the only way?
linux
New contributor
For a Linux (RHEL7) host on which multiple admin's have 'sudo -i' root-possibility, is there an easy way to force that only one of them may use this privilege at a time?
I.e. what I want; if one admin is root by 'sudo -i', another admin that tries this at the same time will be rejected - until the first admin exit's.
Or is using a (local?) password-vault-ish solution the only way?
linux
linux
New contributor
New contributor
New contributor
asked Nov 20 at 15:44
Ulli
1
1
New contributor
New contributor
Does this work? limit users
– number9
Nov 20 at 16:50
It is a question for other topics - ethics, moral or somthing like this. If you include some users intosudoers
you must believe, that they are at a sufficient level of decent behavior. They can immediately after login askwho
orw
to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.
– schweik
Nov 20 at 16:57
Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
Nov 22 at 9:24
add a comment |
Does this work? limit users
– number9
Nov 20 at 16:50
It is a question for other topics - ethics, moral or somthing like this. If you include some users intosudoers
you must believe, that they are at a sufficient level of decent behavior. They can immediately after login askwho
orw
to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.
– schweik
Nov 20 at 16:57
Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
Nov 22 at 9:24
Does this work? limit users
– number9
Nov 20 at 16:50
Does this work? limit users
– number9
Nov 20 at 16:50
It is a question for other topics - ethics, moral or somthing like this. If you include some users into
sudoers
you must believe, that they are at a sufficient level of decent behavior. They can immediately after login ask who
or w
to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.– schweik
Nov 20 at 16:57
It is a question for other topics - ethics, moral or somthing like this. If you include some users into
sudoers
you must believe, that they are at a sufficient level of decent behavior. They can immediately after login ask who
or w
to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.– schweik
Nov 20 at 16:57
Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
Nov 22 at 9:24
Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
Nov 22 at 9:24
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Ulli is a new contributor. Be nice, and check out our Code of Conduct.
Ulli is a new contributor. Be nice, and check out our Code of Conduct.
Ulli is a new contributor. Be nice, and check out our Code of Conduct.
Ulli is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f482998%2flimit-linux-root-possibility-to-one-admin-at-a-time%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Does this work? limit users
– number9
Nov 20 at 16:50
It is a question for other topics - ethics, moral or somthing like this. If you include some users into
sudoers
you must believe, that they are at a sufficient level of decent behavior. They can immediately after login askwho
orw
to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.– schweik
Nov 20 at 16:57
Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
Nov 22 at 9:24