Ubuntu: Prevent other users to login as me and view my files



Question:

My Ubuntu user account name "user-3121" with type as "Administrator". There is one more account named "sysadmin" with type as "Administrator". How do I know whether "sysadmin" can login as me and view my files in "user-3121"?

My /etc/sudoers file has this:

Cmnd_Alias   SHELLS = /bin/sh,/bin/bash,/bin/ksh, /usr/bin/x11/passwd    Cmnd_Alias   SU = /usr/bin/su,/bin/su,/usr/bin/gksudo,/usr/bin/sudo,/usr/bin/su bash,/usr/bin/sudo /bin/bash,/usr/sbin/visudo    Cmnd_Alias   PASS = /usr/bin/passwd root,/bin/* * root,/bin/* * sysadmin,/bin/* * /home/sysadmin,/usr/bin/passwd    Cmnd_Alias      EDIT= /bin/* /etc/sudoers,/bin/* sudoers,/bin/* /etc/passwd,/bin/* passwd,/bin/* /etc/group,/bin/* group,/bin/* /etc/shadow,/bin/* shadow,/*/*/[a-z]* /etc/sudoers,/*/*/[a-z]* /etc/passwd,/*/*/[a-z]* /etc/group,/*/*/[a-z]* /etc/shadow,/*/*/[a-z]* sudoers,/*/*/[a-z]* passwd,/*/*/[a-z]* group,/*/*/[a-z]* shadow    Cmnd_Alias   CMDS = /usr/sbin/userdel * sysadmin,/usr/sbin/userdel sysadmin,/usr/sbin/deluser * sysadmin,/usr/sbin/deluser sysadmin    root    ALL=(ALL) ALL, !CMDS    %admin ALL=(ALL) ALL, !SHELLS, !SU, !CMDS, !PASS, !EDIT  %sudo  ALL=(ALL) ALL,!SHELLS, !SU, !CMDS, !PASS, !EDIT    sysadmin ALL=(ALL) ALL  administrator ALL=(ALL) ALL  

Why "user-3121" is missing in /etc/sudoers? If "sysadmin" can read my data, how do I prevent that?

P.S. No one knows the "root" (su) password except me.


Solution:1

If another user can sudo (or know your password, or can login as root directly if enabled), then yes they can login as you and see your files.

Check which groups your login belongs, as well as the other user:

$ groups  user-3121 adm cdrom sudo dip lpadmin wireshark    $ groups other_user  ...?  

Most systems use group sudo by convention to enable sudo access, rather than explicitly adding usernames to the sudoers file. Ubuntu historically used admin.

If a user is in group sudo or admin, then they can run sudo, and change to any user. Additionally, as you've done, check the sudoers file directly (typically by running $ visudo), and see if individual users are explicitly granted sudo privileges.

Note release notes as of 12.04,

  • Up until Ubuntu 11.10, administrator access using the sudo tool was granted via the "admin" Unix group. In Ubuntu 12.04, administrator access will be granted via the "sudo" group. This makes Ubuntu more consistent with the upstream implementation and Debian. For compatibility purposes, the "admin" group will continue to provide sudo/administrator access in 12.04.

Edit: one option to avoid other admin (sudo) users from reading your data is to encrypt it, and require a passphrase to decrypt. While you're using the file, however, the other user might be able to access it. See Is there a tool to encrypt a file or directory?


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »