Adding secondary admin with full rights

[jared.busch]

Adding another user is easy.
adduser jared gpasswd -a jared sudo pveum user add jared@pam pveum acl modify / --roles PVEAdmin --users jared@pam

I can log in via SSH and have sudo access. Good.
I can log in to the GUI and do most things. Not Good. I need this account to do everything. Is there a different role I need to assign?
Then, preferably, I can disable root for SSH and the GUI.

 

[Neobin]

I need this account to do everything.

Not possible. Some activities are root-only. Afaik it is even hardcoded.

 

[fiona]

Hi,
FYI, there is an open feature request and work on the implementation has already started: https://bugzilla.proxmox.com/show_bug.cgi?id=2582
Unfortunately, @oguz has since left the company, so the work needs to be picked up by somebody else.

 

[Dunuin]

I can log in via SSH and have sudo access. Good.
I can log in to the GUI and do most things. Not Good. I need this account to do everything. Is there a different role I need to assign?
Then, preferably, I can disable root for SSH and the GUI.

Is there actually a security benefit disabling root replacing it with another user with the same privileges? I don't see the point yet. Only benefit I could think of would be that it is harder to bruteforce the root account on SSH/webUI/API when not knowing the admins username. But on the other hand if you care about that it would make more sense to enable 2FA for the webUI, disable password login for SSH and only allow RSA keys and to setup fail2ban.

Only benefit I would see is if you got multiple admins that should be able to administrate the server with their own accounts. I personally only would be interested in that feature, so I could use "picard@enterprise" instead of "root@enterprise" when working in the shell

 

[Vorl]

it's generally considered a security best practice, and has for more than 10 years now.

 

[Dunuin]

it's generally considered a security best practice, and has for more than 10 years now.

I know, but the question is still why, when I'm still supposed to switch to root using su - after logging in as the non-root user.

 

[Vorl]

You don't these days, and haven't for a long time. Almost every system I have run across for many years has sudo. With sudo you run commands with root permissions but don't need root's password, and for auditing purposes commands are tracked from the user running them instead of as "root"

Only old software with programmers that don't understand security are you required to actually run as root and not sudo (I have seen a few packages like this, but they are rare).

 

[Dunuin]

Ok, the point with auditing makes sense.
I also use sudo with PVE to run services by unprivileged users that need just privileged access to a few handpicked commands which otherwise would require the service to be run as root. So there sudo is really helpful to set up the privileges as strict as possible for additional security. But I still don't see a security benefit when allowing a unprivileged user to run every command as root, like ubuntu does it with its default %sudo ALL = (ALL:ALL) ALL.

 

[Vorl]

It's setup that way because using root is heavily discouraged. For normal home users most won't understand how to edit sudoers and don't need to. For enterprise/corporate users that deploy an image, that image will already include, or will modify the sudoers access to limit things unless you are dealing with an admin user.

most systems don't even setup a root password anymore specifically because they don't want people using it. I think it's mostly there for backwards compatibility.