On Fri, 02 Aug 2002 13:35:58 -0700
"David Guntner" <[EMAIL PROTECTED]> wrote:
> Hey Vince, I just read your article at mandrakesecure.net
> regarding sudo. Excellent article. (Now, I just need to get
> going on the msec stuff so I can figure out how to tone down
> some of security level 4's more obnoxious habits.... :)
>
> I like what you mentioned regarding using sudo to restrict
> access to the su command. I've currently got sodo configured to
> allow anyone in the wheel group (which currently consists of me
> only, and isn't likely to change anytime soon... :) to run
> anything as root ("%wheel ALL=(ALL) NOPASSWD: ALL"), and
> as a result of your suggestion in your article, I've removed the
> suid bit from /bin/su. Assuming that msec level 4 doesn't
> decide to "repair" that later on, I've got that part covered.
>
> Couple of questions for you: If I've set up things like above,
> where someone in the wheel group can run anything, and then set
> up another entry which says that anyone in the adm group can run
> a more restricted subset of commands, what happens if the person
> (me, in this case) belongs to both groups? Does the higher
> access (wheel group) take priority, or does the lower, more
> restricted access (adm group) take priority?
>
> The other question is this: Is it possible to set up sshd so
> that it will use that key-based login thing you talked about in
> an earlier message for some users, while allowing password
> logins for others? That would be a kind-of happy medium for me,
> so that I can restrict access to my personal account without
> making things needlessly complicated for my friends who access
> the machine? I've already got sshd configured to deny direct
> root logins, so you have to login as someone else first and then
> su to root. Since I've just gotten rid of the suid bit off of
> /bin/su, I've made my personal login ID the "window to root."
> :-) As I previously mentioned, I'm pretty careful about the
> passwords I pick for myself, but if I can enable the key-based
> login for myself (while allowing password logins for others), I
> could make it that much harder for someone to compromise my
> machine.
>
> TIA!
>
> --Dave
> --
> David Guntner GEnie: Just say NO!
> http://www.akaMail.com/pgpkey/davidg or key server
> for PGP Public key
>
>
The above brings a question to mind that I've never found an
answer to. How is that Linux doesn't use 'groups' in the same
manor as say FreeBSD. If you aren't wheel you don't get access to
su, if you aren't in group newproject you can't see newprojects
files etc etc. Better yet is there somewhere I can find info on
how to implement this under Linux?
James
>
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
