RE: want sudo but not sudo su - how
-Original Message- From: John [mailto:[EMAIL PROTECTED] Sent: Saturday, June 12, 2004 6:30 AM To: [EMAIL PROTECTED] Subject: Re: want sudo but not sudo su - how On Sat, Jun 12, 2004 at 11:59:59AM +, Andy Smith wrote: It might be best to just say I don't want you doing this and then punish people who do, since you do have logs. yeah, thought this might be the case :| thanks for confirming it. If you're trying to restrict what people can do with sudo it will be better to explicitly list each binary they can run as root and make sure there's no way they can modify those binaries. yeah, but too many binaries (or roles too diffuse, tightening up of which would be another way of handling it) visudo and add johnALL = /usr/bin/su [!-]*, !/usr/bin/su *root* this will allow you to su to anyone but root dave ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: want sudo but not sudo su - how
On Sat, Jun 12, 2004 at 11:14:02AM +0100, John wrote: Greetings, freebsd-questions I want to put operators in sudo BUT I don't want them to sudo su - because after they do that, subsequent commands enacted as root don't appear in the logs. The desired behaviour would be sudo su command (any command) but not sudo su -, for these users. Is there a way of enforcing this? You might be able to do it by limiting the commands that are accessible to the person, but if they run any shell, or run any program that drops to a shell (e.g. one they wrote themselves in 2 minutes) then they would have an unrestricted root shell again. The reason being that if they do something and the server eg goes titsup, I want to see what was done in the logs. Would be grateful for any assistance the list may have. It might be best to just say I don't want you doing this and then punish people who do, since you do have logs. If you're trying to restrict what people can do with sudo it will be better to explicitly list each binary they can run as root and make sure there's no way they can modify those binaries. -- http://freebsdwiki.org/ - Encrypted mail welcome - keyid 0xBF15490B pgpiVlgjhcNY3.pgp Description: PGP signature
Re: want sudo but not sudo su - how
On Sat, Jun 12, 2004 at 11:59:59AM +, Andy Smith wrote: It might be best to just say I don't want you doing this and then punish people who do, since you do have logs. yeah, thought this might be the case :| thanks for confirming it. If you're trying to restrict what people can do with sudo it will be better to explicitly list each binary they can run as root and make sure there's no way they can modify those binaries. yeah, but too many binaries (or roles too diffuse, tightening up of which would be another way of handling it) cheers -- John ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: want sudo but not sudo su - how
At 2004-06-12T10:14:02Z, John [EMAIL PROTECTED] writes: Is there a way of enforcing this? No. For example, if you let them run vim as root, then they can open a shell from there and run commands in it. Either configure a list of commands that they can use safely, or set down a clear policy and enforce it. -- Kirk Strauser 94 outdated ports on the box, 94 outdated ports. Portupgrade one, an hour 'til done, 82 outdated ports on the box. pgp3wobwNt6Re.pgp Description: PGP signature