Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] server installation best practices/ worksheet
- Date: Mon, 28 May 2007 12:35:01 +0900
- From: "Erin D. Hughes" <erin-hughes@example.com>
- Subject: Re: [tlug] server installation best practices/ worksheet
- References: <4F9DBC6A-C926-4369-A9B0-05A2078F91CE@miyazaki-mic.ac.jp> <46528A96.6050903@gmo.jp> <979F1B40-7425-41B2-8E4E-0D49890697A5@miyazaki-mic.ac.jp> <46539705.1010601@gmo.jp> <4656ECBB.3060100@runbox.com> <4656FE51.9090301@gmail.com> <1180107401.26169.4.camel@musuko.uchicago.edu> <d8fcc0800705251646v759b9fa5g70f7420258aa05ab@mail.gmail.com> <46578B18.70605@dcook.org> <d8fcc0800705271745y1e6c0d64i1e5f1e4748f038e9@mail.gmail.com>
- Organization: UNIX TEAM ZERO
- User-agent: Thunderbird 1.5.0.10 (X11/20070302)
Josh Glover wrote:
On 26/05/07, Darren Cook <darren@example.com> wrote:
The first (and in fact only) thing I do when I "only" have sudo access is "sudo bash". The first time I tried it I was amazed it worked, but it is so much easier than typing in a password every time (it is rare that if I need root that I only need to run one command).
Most sudo-using sites that take security seriously do not allow invocation of a shell through sudo.
AUGHH
#5. on my list was about sudo..... one thing I forgot was MAKE SURE to set it up correctly.
If I were setting it up for a large scale environment I might try something like this.
1st level people are allowed to change passwords and check quotas 2nd level can restart processes use "most" commands. 3rd level can sudo to bash or and have all access
Example of settings I might use; [1]
User_Alias STAFF=USER1,USER2,USER3 User_Alias 2nd_lev=USER4,USER5,USER6 User_Alias 1st_lev=CUSTSER1,CUSTSER2,CUSTSER3
STAFF ALL=ALL
2nd_lev ALL=/usr/local/op-bin/
1st_lev ALL=/usr/bin/passwd [A-z]*, !/usr/bin/passwd root /usr/sbin/quota
STAFF can run all commands.
2nd level can run commands located in /usr/local/op-bin/ These commands are symlinked into that directory.
1st level can change passwords (except on root) and the quota command.
This is good. But nothing is perfect and you need to check and make sure that the accounts are not being abused.
Case in point if the ln command was in the op-bin dir and a 2nd level user who was tiered of entering his password decided to make a symbolic link to bash into the op-bin dir. It would be possible to do so. Check and recheck security is not a static thing.
While as a member of the STAFF group you would be able to run bash. It can also be corrected later in your sudoers file by adding something like this. [1]
STAFF ALL = NOEXEC: /usr/local/bin/bash
The NOEXEC function lets users run a command but not another command from the initial command.
E./
[1] http://www.gratisoft.us/sudo/man/sudoers.html
--
Erin D. Hughes GMO Internet,
- References:
- [tlug] server installation best practices/ worksheet
- From: Micheal Cooper
- Re: [tlug] server installation best practices/ worksheet
- From: Erin D. Hughes
- Re: [tlug] server installation best practices/ worksheet
- From: Micheal Cooper
- Re: [tlug] server installation best practices/ worksheet
- From: Erin D. Hughes
- Re: [tlug] server installation best practices/ worksheet
- From: Sigurd Urdahl
- Re: [tlug] server installation best practices/ worksheet
- From: Patrick Kellaher
- Re: [tlug] server installation best practices/ worksheet
- From: Stuart Luppescu
- Re: [tlug] server installation best practices/ worksheet
- From: Josh Glover
- Re: [tlug] server installation best practices/ worksheet
- From: Darren Cook
- Re: [tlug] server installation best practices/ worksheet
- From: Josh Glover
- [tlug] server installation best practices/ worksheet
- Prev by Date: Re: [tlug] server installation best practices/ worksheet
- Next by Date: Re: [tlug] server installation best practices/ worksheet
- Previous by thread: Re: [tlug] server installation best practices/ worksheet
- Next by thread: Re: [tlug] server installation best practices/ worksheet
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |