Results 1 to 5 of 5

Thread: how to lock down remote users?

  1. #1
    Join Date
    Aug 2006
    Location
    Milano, Italy
    Beans
    101
    Distro
    Ubuntu 10.04 Lucid Lynx

    how to lock down remote users?

    hello All,

    we are going to install Postgres based OpenERP, and the professionals who will do the support asked to be granted root access to our server.

    They plan to support us from remote using an OpenVPN tunnel.

    I am not paranoid, however I do not like to hand over the keys...

    What could I propose them?

  2. #2
    Join Date
    Sep 2006
    Beans
    7,198
    Distro
    Lubuntu Development Release

    Re: how to lock down remote users?

    One way might be through sudo. sudo can be use to grant very fine grained access. It's possible that you could set up sudo to allow them to do what they need to and no more. If it is a production server, it's not (I hope) going to be changing a lot and the functions they need will be well-known and clearly defined. See cmnd_alias in sudoers

  3. #3
    Join Date
    Aug 2006
    Location
    Milano, Italy
    Beans
    101
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: how to lock down remote users?

    thanks for your kind reply.

    I had thought so, but I can't figure which commands they shall need to execute.

    Maybe I should ask THEM to prepare a modified sudoers file for my approval.

  4. #4
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: how to lock down remote users?

    Quote Originally Posted by gian View Post
    thanks for your kind reply.

    I had thought so, but I can't figure which commands they shall need to execute.

    Maybe I should ask THEM to prepare a modified sudoers file for my approval.
    That would be one idea.

    I don't know why they would need root access to manage a db server unless they need to start/stop the service.

    I would ask why they need root access in the first place.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  5. #5
    Join Date
    Sep 2006
    Beans
    7,198
    Distro
    Lubuntu Development Release

    script

    I've been playing around with script a bit and it might be useful for logging. You can using in sshd using the ForceCommand directive. That way you have log of what they were doing and have a better change at getting the changes and configurations documented.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •