Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] server installation best practices/ worksheet



Josh Glover wrote:
On 26/05/07, Darren Cook <darren@example.com> wrote:

The first (and in fact only) thing I do when I "only" have sudo access
is "sudo bash". The first time I tried it I was amazed it worked, but it
is so much easier than typing in a password every time (it is rare that
if I need root that I only need to run one command).

Most sudo-using sites that take security seriously do not allow invocation of a shell through sudo.


AUGHH
#5. on my list was about sudo..... one thing I forgot was MAKE SURE to set it up correctly.
If I were setting it up for a large scale environment I might try something like this.


1st level people are allowed to change passwords and  check  quotas
2nd level can restart processes use "most" commands.
3rd level can sudo to bash or and have all access

Example of settings I might use; [1]

User_Alias      STAFF=USER1,USER2,USER3
User_Alias      2nd_lev=USER4,USER5,USER6
User_Alias      1st_lev=CUSTSER1,CUSTSER2,CUSTSER3

STAFF ALL=ALL
2nd_lev ALL=/usr/local/op-bin/
1st_lev ALL=/usr/bin/passwd [A-z]*, !/usr/bin/passwd root /usr/sbin/quota


STAFF can run all commands.
2nd level can run commands located in /usr/local/op-bin/ These commands are symlinked into that directory.
1st level can change passwords (except on root) and the quota command.


This is good. But nothing is perfect and you need to check and make sure that the accounts are not being abused.
Case in point if the ln command was in the op-bin dir and a 2nd level user who was tiered of entering his password decided to make a symbolic link to bash into the op-bin dir. It would be possible to do so. Check and recheck security is not a static thing.


While as a member of the STAFF group you would be able to run bash. It can also be corrected later in your sudoers file by adding something like this. [1]

STAFF ALL = NOEXEC: /usr/local/bin/bash

The NOEXEC function lets users run a command but not another command from the initial command.


E./

[1] http://www.gratisoft.us/sudo/man/sudoers.html


--
Erin D. Hughes GMO Internet,





Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links