SUMMARY: sudo anyone?

From: Dave Wreski (tel1dvw@is.ups.com)
Date: Fri Aug 08 1997 - 15:37:10 CDT


Hello all. Thanks to all who replied. I've listed my original
questions, with the answers afterwards. Contributors have been listed
at the end. Feel free to contact me with any further questions.

1. Is there a commercial version, with more features?

I haven't checked out any of the commercial products at this point,
but here are some products suggested:

http://www.symark.com
http://www.mcafee.com/prod/security/powerbroker.html
http://www.memco.com

3. What do you do for cases like vi, where someone can get a root shell?
    There is another case I'm worried about:
        sudo echo bkdoor::0:0:Backdoor:/tmp:/bin/bash >> /etc/passwd
    Can I limit which files the users have access to as well?

3a. Do not give the users you don't trust access to vi. You can give
individual users access to individual sets of files. Yes, you can
get down to the User A can execupt files a, b, c, and d, User B can
execute files c and d, and User C can execute everything except files b.

3b. Some said it is possible to list which files specific users have
access to use. I haven't had time to confirm this yet..

5. What do I do about menu-based programs, like solstice? They can
    delete and add hosts without control from sudo...

5a. Only give commands like vi to users you trust.

5b. "Philip A. Fitzpatrick" <phil@philco.libs.uga.edu> said:

You pose very appropriate questions. I believe that the intended and
most functional manner in which to employ sudo is by giving users
*only* those that they need in order to get their tasks
completed. Therefore, if a user only can perform those specific tasks
specified in the /etc/sudoers file, he/she cannot do unsavory things
of the like you have previously described. I have had instances in
the past where there was a tight knit of folks using root to do things
and I initially set it up so that all those folks could do just about
everything, and then as I kept up with the sudo.log, I weened out full
root access until things were all tidy. This is the only instance I
can see for which you would want to give users full root access via
sudo for extended periods. Otherwise, it's somewhat pointless.

Much thanks to:

Trey Valenta <trey@zipcon.net>
Tom Henning <tom@waldtsvr.ksc.nasa.gov>
Rich Snyder <rsnyder@eos.hitc.com>
"Stevan P. Meck" <mecksp@corr.state.mi.us>
"Philip A. Fitzpatrick" <phil@philco.libs.uga.edu>
and others



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:00 CDT