Nix, Robert P. wrote:
Look for the "rootpw", "targetpw" or "runaspw" option in the Sudoers file.
These would force it to ask for root's password instead of the issuing user's password. While not the program
default, many distributions come with one of these set.
Also, your guard against the use of the passwd command will not work, as the user could
just do "sudo bash" to give themselves a root shell, and execute the passwd
command from there. It is very difficult to restrict what a user will do once you've
opened the flood gates. The only real way is to restrict the user to specific, known,
needed commands. Even then, you can let something slip through that would allow them to
run a command within the program you've allowed (such as vi), that would give them a
shell, and thus access to everything.
You can also grant access to a directory contents, so your backup
operators might be given the ability to run, as root, the contents of
/home/groups/operators/bin
Be sure to set PATH and unset any environment vars you know are not
needed, to set others that are.
--
Cheers
John
-- spambait
[EMAIL PROTECTED] [EMAIL PROTECTED]
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
