I run a server which is used by a group of individuals for e-mail, mailing lists, personal web homes etc.
I thought about ways to provide root access for other members to allow them handling problems on the server. But I don't like to give full root privileges to everyone.
What about the idea that two users must enter the password in sudo style to open a root shell? This would prevent a single user from hijacking the whole server. To increase security any number of needed user passwords above 1 could be used. As I see now this could be a nice way to provide root access within a group of people who know each other quite well and live nearby.
- Do you know such a program?
- what do you think about the concept in general?
Best Answer
Requiring dual approval for certain actions is part of some security policies; for example:
You'll note that this is not about authentication (e.g. typing a password to show that you're who you pretend to be), but about authorization, i.e. deciding whether a certain action is permitted.
For background reading, I recommend Security Engineering by Ross Anderson. Buy the latest edition if you can, but otherwise the first edition is available online. The most relevant chapter is “Access Control”; there are examples in the chapters on banking and nuclear command.
Unix offers a simple security model, with only two levels: user and superuser. This is both a strength (simple means less room for errors in the design and implementation of the system itself and of security policies) and a weakness (complex security policies cannot be expressed natively). If you're worried about a rogue user gaining root, don't give him root permissions. There are very few checks on what root does; the only constraint would be that the action of gaining root can be logged remotely, as can certain external actions (network traffic). A rogue user could pretend to want to gain root to do a certain thing and actually do another while hiding his actions from the other user. So you would not gain much security by requiring root access to be vetted by another user. Conversely, you would lose security by reducing the availability of root access (I gather you want to give less trusted users root access to serve as back-ups if something goes wrong; dual approval would increase the burden a lot).
Dual approval is useful for specific actions: Alice says “please authorize me do do X”, Bob says “I authorize Alice to do X”, and the system performs X (X can be e.g. transferring $1,000,000,000 from one bank account to another, or nuking Moscow, or rejecting an edit). If Alice says “please authorize me to do anything I want” and Bob agrees, all Bob is doing is echoing what you (the policy maker) already said, namely that Alice can be authorized to do anything. You might as well make Alice a sudoer.
I don't know of any existing system on unix to have multiple users approve specific commands in a sudo-like framework.