Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.4: Hide all low UID users from the login window' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Hide all low UID users from the login window
Authored by: rohanl on May 22, '06 10:02:27PM

By disabling logins in this way, not only do you prevent someone from loging in via the login window, but they can't log in any other way (ssh, su, ...)

The only way to 'become' the user is to become root first and then su (root can do this without needing to enter a passwd)

This is a good thing for a user that is not meant to be interactive.



[ Reply to This | # ]
10.4: Hide all low UID users from the login window
Authored by: greed on May 24, '06 02:48:32PM

You can use 'sudo -u username' instead of gatewaying through root.

First, use visudo to edit the sudoers file.

Next, you want to add something like this:

dbauser ALL=(postgres) /usr/local/bin/psql, /usr/local/bin/pg_dump

Make dbauser a comma-separated list of all users you need. ALL means any machine; if you're sharing the sudoers file among several machines, then you can put a specific hostname here. The name in parens is the "sudo as" user, it can be a comma-separated list also if you like. (apache,mysql,postgres,mailman) for example. Then a list of allowed commands, or the magic word ALL to allow any command.

Users then can "sudo -u postgres /usr/local/bin/psql", and use their own password, to run as the database superuser.

This is, IMO (and IME), much better than having shared passwords on such accounts. There's several security benefits, AND your users have fewer passwords to remember, so easier to avoid writing them down in a bad place.



[ Reply to This | # ]