On Thu Aug 08, 2002 at 12:23:10PM -0700, David Guntner wrote: > (I'm cc'ing you, Vincent, because I'm not sure the list is working well > today and I want to be sure you see my reply.)
Got both, so it's ok... =) > > On Fri Aug 02, 2002 at 01:35:58PM -0700, David Guntner wrote: > > > > I don't think I've replied to this already, but my mail is kinda > > messed up right now, so I'm not sure. If I have, forgive me. > > No you hadn't, and I was beginning to feel positively unloved. :-) hehehe... sorry about that. > I hope you get your mail straightened out soon. I know how much fun that > can be... I was trying to switch all of my email to Sylpheed from mutt... after doing so and using it for a few days I decided to go back to mutt... Sylpheed just wasn't doing what I needed it to do (wasn't working with TMDA properly). Oh well. > > Both. An easy way to check is to put the rules in then, as the user, > > run "sudo -l". It will list everything you have access to and as what > > user. I don't think sudo does a "first match wins", but checks to see > > if you apply to any given rule. If you do, you get access. > > > > Of course, if you have %wheel assigned to run everything as root, why > > would you need to be in the adm group? You obviously don't need to be > > in the adm group. > > I know it seems odd. :-) But the idea is that I want to be able to look at > certain files that are group readable to the adm group (which one of my > more trusted users is part of) without having to sudo to do it. If I > belong to the group, then I've already got access to the file. I love the > convenience of sudo, but I don't want to have to use it for everything I > do. Otherwise, I might just as well sign in as root all the time. :-) Fair enough. In that case, whatever privs you give to group adm, you don't have to give to group wheel also, unless you plan on having people in group wheel that are not in group adm, but it doesn't sound like that is what you are doing. > > A better option is to use a little more granularity > > in your rules and use sudo's grouping; ie. use something like: > > > > User_Alias ADM = dave, john > > > > ADM ALL = NOPASSWD: /etc/init.d/htttpd, /etc/init.d/mysql > > Good thought, though. I'll keep it in mind for future applications. =) [...] > > > the key-based login for myself (while allowing password logins for others), > > > I could make it that much harder for someone to compromise my machine. > > > > Ummm... good question. I believe you can do so with client options > > on your account. You'll have to allow password authentication > > server-wide, but you can probably setup your own personal config so > > that password authentication is not allowed on your account. > > > > Give me some time, I'm writing an article about the many uses of > > openssh for MandrakeSecure that I hope to have out next week. > > Sounds good. I'll be eagerly awaiting it. Like I said, I need to have > password authentication turned on because some of my friends just flat-out > aren't up to anything else. :-) But since *my* ID now effectively holds > the "keys to the kingdom," I want to lock it up as tight as I can. Looking around, I think it can be done, but I don't have the answer yet... My writing of the piece on openssh has been interrupted with a few other things that need to be dealt with first. I'll try to finish it up this weekend... then it will give you all kinds of tips and ideas on using openssh effectively... =) -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" {GnuPG: 1024D/FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
msg56808/pgp00000.pgp
Description: PGP signature
