How to protect root user from root privileged custom user?

Asked by Rinshan Kolayil on 2021-05-30

I have created a user named as <username> in my local network server and prevented all root access and password login to the server instead i use SSH authentication. I would like to know how to protect root user by validation with password if access a file belongs to root. Lets say an example,

I have updated OS by `sudo apt-get update` and first time it asks for the password. Image - Asking for the password for the first time. Image - https://i.stack.imgur.com/BH36C.png

Second time i ran any command (e.g. `sudo ls -la /root`) in which the files or permissions all belongs to root user / other root privileged user rather than me. But this time, the command runs without asking for password because session of terminal was not closed. Image - https://i.stack.imgur.com/OQAUZ.png

My concern is how can i validate all actions (terminal commands) by a user with a password if permissions belongs to root user?.

Example validation message "Those files belongs to root user, are you sure wish to continue the operation?". Image - https://i.stack.imgur.com/306hV.jpg

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said :
#1

If a user is in the sudo group it has full system access. If you want to restrict what users can run then you can make groups and assign them to certain commands in visudo so you only give users access to run certain commands using sudo, rather than any and all commands.

Revision history for this message
actionparsnip (andrew-woodhead666) said :
#2

Sudo has a grace period which is why the second command did not require a password. You can reduce the grace period and require your users enter their password more frequently.

Revision history for this message
actionparsnip (andrew-woodhead666) said :
#3
Revision history for this message
Rinshan Kolayil (rinshan) said :
#4

@andrew - I hope your first answer will solve my problem. If i am trying to give grace period, i will automatically enter the password for every commands if it comes to daily process.

Revision history for this message
Rinshan Kolayil (rinshan) said :
#5

If system can request a password while accessing other user files, which will be better. Hope your better solution

Can you help with this problem?

Provide an answer of your own, or ask Rinshan Kolayil for more information if necessary.

To post a message you must log in.