I was just wondering if there is a way to give a user root access escalation on a *nix system, kind of like sudo, but which requires more than one sysadmin authorisation. I am thinking of something sort of like how a self-destruct command on a starship requires multiple command-level authorisations.
There's nothing like this, by default, but SELinux and and Posix ACLs might be able to be leveraged by denying everyone root except in cases where multiple tokens (or files, or processes, or whatever) exist and are owned by the proper people. Sort of like an even more complicated use of semaphores.
Check out this article in Linux Journal about making root unprivileged.
BTW, in case you didn't know, you're meddling in Deep Magic.
Maybe you could abuse a securid token by setting up the root account with the token. Then give the token to the "partially trusted person number 1 (manager)" and the PIN to "partially trusted person number 2 (admin)". Partially trusted person number 2 has to phone trusted person number 1. and ask him the number on the display of the token. That way 1 and 2 have to come together to make it possible to log in. I'd be a bit wary of relying on it, though you could put 2 locks on the door of an office and issue the keys to the semi-trusted parties who would again need to come together to open the office to get at the secure workstation?
I wouldn't be surprised if there are bits bolted onto some operating systems that do this but you'll probably have to join an organisation where you are expected to salute and say "Sir" a lot before you can use them.
This blog entry by someone who designed/built just such a system is interesting: Dr Rick (Crypto)Smith Blog