Disabling admin accounts

Whether you are using Linux on the desktop or as a server, it's still good that you're using Linux. Linux related questions go here.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Disabling admin accounts

Post by alex.barylski »

I signed up for a dedicated hosting service...fully self managed except for requests tickets where their admin's might need access ot my server.

Like with most hosting companies, there are two or more accounts which are used internally by them...which they recommend keeping active incase of an emergency. If I disable the account it's not my fault if they cannot make nessecary repairs.

I don't really like the idea of any accounts existing outside of my own...should I disable their accounts? What kind of maintenance would they need to do which would require admin access? If I ever screw something up that badly software wise...I would likely just reinstall the OS and start from scratch.

How do I disable these admin accounts they have setup? Wise idea or no?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Disabling admin accounts

Post by VladSun »

To look for a root access:

Code: Select all

grep :0: /etc/passwd
Should return only

Code: Select all

root:x:0:0:root:/root:/bin/bash
And

Code: Select all

cat /root/.ssh/authorized_keys
should not return anything in case you haven't setup SSH key authorization.

Keep in mind that there may be other ways to get root access (e.g. ordinary user account and "su").
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Disabling admin accounts

Post by alex.barylski »

EDIT | I simply reset the passwords for their admin account and changed my own as well.

The first command returned two accounts:

root and admin (the latter of which is theirs). I should probably reset my own password for root as well. How do I disable their account?

The last command returns: No such file or directory.

Ideally I just don't want them to have access to my PHP scripts, but I'm thinking this is not possible as my PHP setup requires scripts to execute as readable by world (user: nobody). Short of executing PHP with suexec...I guess just disabling their accounts is probably easiest?

I'm curious though as to what exactly they would access for. If a hardware failure occurs could they not fix that without having to login and make root changes?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Disabling admin accounts

Post by VladSun »

Code: Select all

userdel admin
Because you don't have physical access tot the server, there are many things you may screw up - e.g. executing "halt" ;)
Most of the times I have screwed up something with my servers was refusing SSH access to the machine - in most cases by bad firewall rules or changing network interface settings (e.g. "ifdown" ;) ). So, there would be cases where only console access would be needed in order to make things work.
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Disabling admin accounts

Post by alex.barylski »

I don't anticipate screwing up the system...I don't really tinker with much outside of a typical LAMP stack...and recently with mail servers. Not sure I know enough to be "that" dangerous. :)

Although, if I did happen to **** stuff up, could I not just send them an email with my root details? They could then login as root and do the exact same thing, no?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Disabling admin accounts

Post by VladSun »

Hockey wrote:I don't anticipate screwing up the system...I don't really tinker with much outside of a typical LAMP stack...and recently with mail servers. Not sure I know enough to be "that" dangerous. :)
Don't bet on it ;)
Hockey wrote:Although, if I did happen to **** stuff up, could I not just send them an email with my root details? They could then login as root and do the exact same thing, no?
That's correct :)
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Disabling admin accounts

Post by alex.barylski »

Hmmm...how does rebooting the system render ssh unusable?

In anycase, they have a web based control panel for restarting your server...I'll keep that in mind though so I always work like stepping on egg shells. :P
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Disabling admin accounts

Post by VladSun »

Hockey wrote:Hmmm...how does rebooting the system render ssh unusable?
;)

Code: Select all

 
:~# cat /etc/rc.d/rc.firewall
#!/bin/bash
iptables -I INPUT -p tcp --dport 22 -j DROP
 
reboot doesn't help in this case ;)
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply