I reached the end of the internet with no success, so now I turn to you guys. Wh
ID: 655802 • Letter: I
Question
I reached the end of the internet with no success, so now I turn to you guys.
What I'm after is a way to implement four eyes principle on the OS level for certain commands in Linux.
Example : The admin group has 10 members. The reboot command should not be allowed to be performed by any one admin alone, but should require a second admin to enter his/her credentials as well.
Work-flow : Admin A runs "sudo reboot". Terminal prompts for Admin A password. Terminal prompts for Admin B username and password. If both users are in the admin group, the command will run.
I have started to look into PAM, but couldn't find any immediate way to do this.
Does anyone know how to do this?
Explanation / Answer
I don't know of a packaged solution to do this. I expect it would be quite tricky to do, as you need a two-step request/approve system, and there is nothing like that in standard Linux systems.
One possibility is to use an out-of-band two-man system. For example, the reboot command could require an additional password. One half of the admins know that password; there other half have the rights to run reboot. To actually do a reboot, two admins would have to work together. Even this is a bit tricky - and flawed if the second admin writes down the password.
I've never seen this done in practice though, and I'm not sure it's a sensible thing to try and do. In general it is almost impossible to lock down admins, as they need high level rights to do their job. What is more practical is locking down administrator access, e.g. an admin's account is normally disabled; it is only enabled (by a separate team) when the admin is dealing with an authorised change or incident.