-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FACORAT Fabrice wrote:
> As everybody know, be connected as root is evil/bad.
> But you may want to have a special user that can do some maintenance
> task ( using mdk tools ) but who don't have all of the power of root.
>
> Can this could be accomplish ? IMHO, yes.
>
> 1°/ during installation you specify the admin user,, or better you click
> "Add Admin user" and then type password.
If you have installed in high security mode (msec 4 even IIRC), you will
notice the opportunity to check some group memberships (at least
'wheel', maybe a few more). I forget if 'adm' is there, but we are
abusing this group in samba (members of 'adm' can upload printer drivers
by default, and join Windows machines to the samba domain - essentially
the same as the "Domain Admins" group in Widnows), so maybe it should be
used here?
>
> 2°/ sudo should be configure so that this user can launch WITHOUT root
> password all drakxtools, printer administration tools.
Agreed, plus some other things, like 'service', 'urpmi', 'urpmi.update',
maybe 'postfix' so they can run 'postfix flush' etc:
Cmnd_Alias URPMI_CMND = /usr/sbin/urpmi, /usr/sbin/urpmi.update
Cmnd_Alias SERVICE_CMND = /sbin/service, /usr/sbin/postfix
%adm ALL= NOPASSWD: URPMI_CMND
%adm ALL= NOPASSWD: SERVICE_CMND
$ sudo -l
User bgmilne may run the following commands on this host:
(root) NOPASSWD: /usr/sbin/urpmi, /usr/sbin/urpmi.update
(root) NOPASSWD: /sbin/service, /usr/sbin/postfix
I mentioned this a while back, but probably too late. Can we start
collecting more useful sudo configs?
Fabrice, do you have write access to the wiki? This is the kind of stuff
I originall meant to put under "The Big Picture":
http://qa.mandrakesoft.com/twiki/bin/view/Main/TheBigPicture
> If some
> drakxtools need to be launch only by root they should prompted a dialog
> box and ask for root password.
AFAIK there is no graphical launcher that supports sudo at present.
> If you can detect when a user is sudoed,
> it's just a matter of performing some checks, if this is impossible,
> then it should ask for this password every time.
>
> 3°/ the desktop of this user should be customized. Under KDE with
> superkaramba you have mandrakesecure theme so that he can see security
> advisories. Under gnome, he's got the gdesklet equivalent.
> mutray could be also installed. The same for evolution summary ( summary
> screen ).
>
> 4°/ Instead of Mandrake galaxy, the Admin user should see a wizard a
> little bit like the Windows 2000/2003 one which propose several task to
> do. This wizard should have blue color as this is Mandrake colors and be
> task oriented.
>
Screenshot:
http://ranger.dnsalias.com/mandrake/screenshots/win2k3/manage_server.png
While we're here, this is a nice idea:
http://ranger.dnsalias.com/mandrake/screenshots/win2k3/shut_down_dialog.png
> 5°/ in order to avoid conflict with user custom group, this Admin user
> could belongs to adm group, or root group ...
Agreed, since we (samba) already abuse this group ...
>
> Advantages :
> - joe user connect with Admin account and manage the computer with admin
> account. As Admin user doesn't have all the right root have, possible
> damages will be less important : a "rm -fr" in / will have less
> consequences ;)
> - joe user only need to know root password for very specific task (
> kernel recompilation, driver installation, software compilation ).
Not kernel compilation, only kernel intallation ... software compilation
should not need sudo (that's too complicated, and more risky IMHO), but
in msec 4 you need to be in ctools group anyway.
> - we have an account we can customize and where we will be able to show
> all needed informations ( security advisories, logs, security email, ...
> )
IMHO, at least the rights (ie sudo) need to be per group.
And imagine if we could store sudo config in LDAP?
(well, at least it allows configuration for multiple hosts in one config
file ... but it could be better).
Regards,
Buchan
- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne Mechanical Engineer, Network Manager
Cellphone * Work +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering http://www.cae.co.za
GPG Key http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/fZwmrJK6UGDSBKcRAuQbAJ0ZG2UVxlpAyqCZMf3/8NEeiVyPHwCeIXPq
u5i1YV240sNimA0A0Rtwblo=
=vA3d
-----END PGP SIGNATURE-----
*****************************************************************
Please click on http://www.cae.co.za/disclaimer.htm to read our
e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy.
*****************************************************************
