On Wed, 21 Jun 2000, Derek Martin wrote:
> Today, Bob Bell gleaned this insight:
>
> > I also never quite know what I am going to need to do next. This
> > makes it hard to just grant certain priveleges. It would be a *huge*
> > damper on productivity if I had to ask for permission each time I
> > needed to try something different as root. And what would be the
> > point of using sudo to grant full access to everything?
>
> The point is at least there's some accountability. sudo logs everything
> you do when you run it. I would prevent my users from being able to run
> any of the shells and editors that provide a shell, and make it clear that
> if you run a program that gives you generic root priveleges, you're
> violating the security policy and there will be consequences. Then have
> any such system log to a remote syslog server and have a log parser watch
> for violations. NOTE: THIS IS ONLY NECESSARY FOR MACHINES WITH TRUST
> RELATIONSHIPS WITH PRODUCTION MACHINES. If you want to completely
> disassociate a given machine from the network, i.e. don't get NFS mounts
> and be disallowed from participating NIS (actually NIS is a whole seperate
> security fiasco, but that's a topic for another day), then none of this is
> necessary.
>
I'm not an expert on SUDO (actually, I've only used it on one machine,
that I was responsible for at my last job, with me & my boss having
access), but I want to amplify one thing: you can set SUDO to allow
someone to perform any root action. However, they're all logged. I
actually had it set to do this, because I could do lots of testing as
me, then type "sudo <command>" to actually run it. Was faster to do
the sudo/my password than to do "su -, root password, command, exit"
and I didn't have to worry about leaving myself in a root shell &
accidentally doing something stupid (not that anyone would ever
possibly type a damaging command without checking whether they're
root;-). Although the logging wasn't something I particularly was
using it for, that's actually an additional benefit for the admins:
if something goes wrong, they can look in the sudo log, find out
exactly who typed what, that may have caused the problem.
In addition to myself, I had it set up so my boss could restart our
test apache & samba servers, without needing root access.
jeff
------------------------------------------------------------------------
Jeffry Smith Technical Sales Consultant Mission Critical Linux
[EMAIL PROTECTED] phone:603.930.9379 fax:978.446.9470
------------------------------------------------------------------------
Thought for today: Neutrinos have bad breadth.
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
