Le ven 03/10/2003 à 15:56, Buchan Milne a écrit : > FACORAT Fabrice wrote: > > > > 2°/ sudo should be configure so that this user can launch WITHOUT root > > password all drakxtools, printer administration tools. > > Agreed, plus some other things, like 'service', 'urpmi', 'urpmi.update', > maybe 'postfix' so they can run 'postfix flush' etc: > > Cmnd_Alias URPMI_CMND = /usr/sbin/urpmi, /usr/sbin/urpmi.update > Cmnd_Alias SERVICE_CMND = /sbin/service, /usr/sbin/postfix > %adm ALL= NOPASSWD: URPMI_CMND > %adm ALL= NOPASSWD: SERVICE_CMND > > $ sudo -l > User bgmilne may run the following commands on this host: > (root) NOPASSWD: /usr/sbin/urpmi, /usr/sbin/urpmi.update > (root) NOPASSWD: /sbin/service, /usr/sbin/postfix > > I mentioned this a while back, but probably too late. Can we start > collecting more useful sudo configs?
Cmnd_Alias PRINTING = /usr/bin/enable, /usr/bin/disable Cmnd_Alias PACKAGES = /usr/bin/rpm Cmnd_Alias DRAKXTOOLS = all drakxtools progs Cmnd_Alias ADSL = /usr/sbin/adsl-connect, /usr/sbin/adsl-setup, /usr/sbin/adsl-start, /usr/sbin/adsl-status, /usr/sbin/adsl-stop Cmnd_Alias SAGEM = /usr/sbin/showstat, /usr/sbin/startadsl, /usr/sbin/startmire, /usr/sbin/stopadsl %adm ALL= NOPASSWD: PRINTING %adm ALL= NOPASSWD: DRAKXTOOLS %adm ALL= NOPASSWD: ADSL %adm ALL= NOPASSWD: SAGEM > Fabrice, do you have write access to the wiki? This is the kind of stuff > I originall meant to put under "The Big Picture": > http://qa.mandrakesoft.com/twiki/bin/view/Main/TheBigPicture no I don't :( > Screenshot: > http://ranger.dnsalias.com/mandrake/screenshots/win2k3/manage_server.png I never saw win2k3 before. Pretty indeed. With tools like superkaramba/gdesklet we can have some good monitoring opportunities ( /var/log/messages in desktop background, can use root-tail also + security advisories ) > While we're here, this is a nice idea: > > http://ranger.dnsalias.com/mandrake/screenshots/win2k3/shut_down_dialog.png mouaip ... what about a diary :D > > Advantages : > > - joe user connect with Admin account and manage the computer with admin > > account. As Admin user doesn't have all the right root have, possible > > damages will be less important : a "rm -fr" in / will have less > > consequences ;) > > - joe user only need to know root password for very specific task ( > > kernel recompilation, driver installation, software compilation ). > > Not kernel compilation, only kernel intallation ... software compilation > should not need sudo (that's too complicated, and more risky IMHO), but > in msec 4 you need to be in ctools group anyway. You misunderstood me. joe user will need root password and be logged as root ( so no sudo, but su instead ) if he wants to do compilation ( kernel, software ) > > - we have an account we can customize and where we will be able to show > > all needed informations ( security advisories, logs, security email, ... > > ) > IMHO, at least the rights (ie sudo) need to be per group. Several Admin ? so need when you have mail/security warning the mail need to be send to all people belonging to this group. > And imagine if we could store sudo config in LDAP? This is for Server config. For desktop config it's too much. having maximum things in one place is a good thing and as you can do backup server it's not a too high risk. > (well, at least it allows configuration for multiple hosts in one config > file ... but it could be better). Let's stay simple. For this there will have no group.
