Limit Linux/root-possibility to one admin at a time

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












For a Linux (RHEL7) host on which multiple admin's have 'sudo -i' root-possibility, is there an easy way to force that only one of them may use this privilege at a time?



I.e. what I want; if one admin is root by 'sudo -i', another admin that tries this at the same time will be rejected - until the first admin exit's.



Or is using a (local?) password-vault-ish solution the only way?










share|improve this question







New contributor




Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • Does this work? limit users
    – number9
    Nov 20 at 16:50











  • It is a question for other topics - ethics, moral or somthing like this. If you include some users into sudoers you must believe, that they are at a sufficient level of decent behavior. They can immediately after login ask who or w to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.
    – schweik
    Nov 20 at 16:57










  • Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
    – Ulli
    Nov 22 at 9:24














up vote
0
down vote

favorite












For a Linux (RHEL7) host on which multiple admin's have 'sudo -i' root-possibility, is there an easy way to force that only one of them may use this privilege at a time?



I.e. what I want; if one admin is root by 'sudo -i', another admin that tries this at the same time will be rejected - until the first admin exit's.



Or is using a (local?) password-vault-ish solution the only way?










share|improve this question







New contributor




Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • Does this work? limit users
    – number9
    Nov 20 at 16:50











  • It is a question for other topics - ethics, moral or somthing like this. If you include some users into sudoers you must believe, that they are at a sufficient level of decent behavior. They can immediately after login ask who or w to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.
    – schweik
    Nov 20 at 16:57










  • Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
    – Ulli
    Nov 22 at 9:24












up vote
0
down vote

favorite









up vote
0
down vote

favorite











For a Linux (RHEL7) host on which multiple admin's have 'sudo -i' root-possibility, is there an easy way to force that only one of them may use this privilege at a time?



I.e. what I want; if one admin is root by 'sudo -i', another admin that tries this at the same time will be rejected - until the first admin exit's.



Or is using a (local?) password-vault-ish solution the only way?










share|improve this question







New contributor




Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











For a Linux (RHEL7) host on which multiple admin's have 'sudo -i' root-possibility, is there an easy way to force that only one of them may use this privilege at a time?



I.e. what I want; if one admin is root by 'sudo -i', another admin that tries this at the same time will be rejected - until the first admin exit's.



Or is using a (local?) password-vault-ish solution the only way?







linux






share|improve this question







New contributor




Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Nov 20 at 15:44









Ulli

1




1




New contributor




Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Ulli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











  • Does this work? limit users
    – number9
    Nov 20 at 16:50











  • It is a question for other topics - ethics, moral or somthing like this. If you include some users into sudoers you must believe, that they are at a sufficient level of decent behavior. They can immediately after login ask who or w to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.
    – schweik
    Nov 20 at 16:57










  • Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
    – Ulli
    Nov 22 at 9:24
















  • Does this work? limit users
    – number9
    Nov 20 at 16:50











  • It is a question for other topics - ethics, moral or somthing like this. If you include some users into sudoers you must believe, that they are at a sufficient level of decent behavior. They can immediately after login ask who or w to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.
    – schweik
    Nov 20 at 16:57










  • Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
    – Ulli
    Nov 22 at 9:24















Does this work? limit users
– number9
Nov 20 at 16:50





Does this work? limit users
– number9
Nov 20 at 16:50













It is a question for other topics - ethics, moral or somthing like this. If you include some users into sudoers you must believe, that they are at a sufficient level of decent behavior. They can immediately after login ask who or w to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.
– schweik
Nov 20 at 16:57




It is a question for other topics - ethics, moral or somthing like this. If you include some users into sudoers you must believe, that they are at a sufficient level of decent behavior. They can immediately after login ask who or w to see if somone else is solving the problem. It seems to me much more simle to choose better sudoers then blocking them by logging priority.
– schweik
Nov 20 at 16:57












Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
Nov 22 at 9:24




Reason for my question is auditability; TTY-audit to an external location is effective, but if more users are logged in with root, the one that kills the process for audit-transfer can thereafter do what he/she wants (with the local audit-logs) - and hence cannot be identified.
– Ulli
Nov 22 at 9:24















active

oldest

votes











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






Ulli is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f482998%2flimit-linux-root-possibility-to-one-admin-at-a-time%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes








Ulli is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















Ulli is a new contributor. Be nice, and check out our Code of Conduct.












Ulli is a new contributor. Be nice, and check out our Code of Conduct.











Ulli is a new contributor. Be nice, and check out our Code of Conduct.













 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f482998%2flimit-linux-root-possibility-to-one-admin-at-a-time%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?