Prevent other users to login as me and view my files

Tags:

Answer: 1

2 hours ago

My Ubuntu user account name "user-3121" with type as "Administrator". There is one more account named "sysadmin" with type as "Administrator". How do I know whether "sysadmin" can login as me and view my files in "user-3121"?

My /etc/sudoers file has this:

Cmnd_Alias   SHELLS = /bin/sh,/bin/bash,/bin/ksh, /usr/bin/x11/passwd

Cmnd_Alias   SU = /usr/bin/su,/bin/su,/usr/bin/gksudo,/usr/bin/sudo,/usr/bin/su bash,/usr/bin/sudo /bin/bash,/usr/sbin/visudo

Cmnd_Alias   PASS = /usr/bin/passwd root,/bin/* * root,/bin/* * sysadmin,/bin/* * /home/sysadmin,/usr/bin/passwd

Cmnd_Alias      EDIT= /bin/* /etc/sudoers,/bin/* sudoers,/bin/* /etc/passwd,/bin/* passwd,/bin/* /etc/group,/bin/* group,/bin/* /etc/shadow,/bin/* shadow,/*/*/[a-z]* /etc/sudoers,/*/*/[a-z]* /etc/passwd,/*/*/[a-z]* /etc/group,/*/*/[a-z]* /etc/shadow,/*/*/[a-z]* sudoers,/*/*/[a-z]* passwd,/*/*/[a-z]* group,/*/*/[a-z]* shadow

Cmnd_Alias   CMDS = /usr/sbin/userdel * sysadmin,/usr/sbin/userdel sysadmin,/usr/sbin/deluser * sysadmin,/usr/sbin/deluser sysadmin

root    ALL=(ALL) ALL, !CMDS

%admin ALL=(ALL) ALL, !SHELLS, !SU, !CMDS, !PASS, !EDIT
%sudo  ALL=(ALL) ALL,!SHELLS, !SU, !CMDS, !PASS, !EDIT

sysadmin ALL=(ALL) ALL
administrator ALL=(ALL) ALL

Why "user-3121" is missing in /etc/sudoers? If "sysadmin" can read my data, how do I prevent that?

P.S. No one knows the "root" (su) password except me.

Answer: 2

3 hours ago

If another user can sudo (or know your password, or can login as root directly if enabled), then yes they can login as you and see your files.

Check which groups your login belongs, as well as the other user:

$ groups
user-3121 adm cdrom sudo dip lpadmin wireshark

$ groups other_user
...?

Most systems use group sudo by convention to enable sudo access, rather than explicitly adding usernames to the sudoers file. Ubuntu historically used admin.

If a user is in group sudo or admin, then they can run sudo, and change to any user. Additionally, as you've done, check the sudoers file directly (typically by running $ visudo), and see if individual users are explicitly granted sudo privileges.

Note release notes as of 12.04,

  • Up until Ubuntu 11.10, administrator access using the sudo tool was granted via the "admin" Unix group. In Ubuntu 12.04, administrator access will be granted via the "sudo" group. This makes Ubuntu more consistent with the upstream implementation and Debian. For compatibility purposes, the "admin" group will continue to provide sudo/administrator access in 12.04.

Edit: one option to avoid other admin (sudo) users from reading your data is to encrypt it, and require a passphrase to decrypt. While you're using the file, however, the other user might be able to access it. See Is there a tool to encrypt a file or directory?

Popular Search

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9