-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FACORAT Fabrice wrote: > Le ven 03/10/2003 à 15:56, Buchan Milne a écrit : > >>FACORAT Fabrice wrote: >> >>>2°/ sudo should be configure so that this user can launch WITHOUT root >>>password all drakxtools, printer administration tools. >> >>Agreed, plus some other things, like 'service', 'urpmi', 'urpmi.update', >>maybe 'postfix' so they can run 'postfix flush' etc: >> >>Cmnd_Alias URPMI_CMND = /usr/sbin/urpmi, /usr/sbin/urpmi.update >>Cmnd_Alias SERVICE_CMND = /sbin/service, /usr/sbin/postfix >>%adm ALL= NOPASSWD: URPMI_CMND >>%adm ALL= NOPASSWD: SERVICE_CMND >> >>$ sudo -l >>User bgmilne may run the following commands on this host: >> (root) NOPASSWD: /usr/sbin/urpmi, /usr/sbin/urpmi.update >> (root) NOPASSWD: /sbin/service, /usr/sbin/postfix >> >>I mentioned this a while back, but probably too late. Can we start >>collecting more useful sudo configs? > > > Cmnd_Alias PRINTING = /usr/bin/enable, /usr/bin/disable
Agree > Cmnd_Alias PACKAGES = /usr/bin/rpm Disagree. If you can't install it with urpmi, then you need to be *real* root to install it IMHO. Or, it should at least not be NOPASSWD (so there is more auditing possibilities). Everything else is already controlled in msec 4 by the rpm group. Well, this is minor complaints anyway, I will collect this stuff on the wiki over the weekend (but it is still useful discussing which ones are useful dedfaults ... and suggesting more ...) > Cmnd_Alias DRAKXTOOLS = all drakxtools progs > Cmnd_Alias ADSL = /usr/sbin/adsl-connect, /usr/sbin/adsl-setup, > /usr/sbin/adsl-start, /usr/sbin/adsl-status, /usr/sbin/adsl-stop > Cmnd_Alias SAGEM = /usr/sbin/showstat, /usr/sbin/startadsl, > /usr/sbin/startmire, /usr/sbin/stopadsl I'll believe you ... > > %adm ALL= NOPASSWD: PRINTING > %adm ALL= NOPASSWD: DRAKXTOOLS > %adm ALL= NOPASSWD: ADSL > %adm ALL= NOPASSWD: SAGEM > > >>Fabrice, do you have write access to the wiki? This is the kind of stuff >>I originall meant to put under "The Big Picture": >>http://qa.mandrakesoft.com/twiki/bin/view/Main/TheBigPicture > > > no I don't :( > > >>Screenshot: >>http://ranger.dnsalias.com/mandrake/screenshots/win2k3/manage_server.png > > > I never saw win2k3 before. Pretty indeed. With tools like > superkaramba/gdesklet we can have some good monitoring opportunities ( > /var/log/messages in desktop background, can use root-tail also + > security advisories ) > > >>While we're here, this is a nice idea: >> >>http://ranger.dnsalias.com/mandrake/screenshots/win2k3/shut_down_dialog.png > > > mouaip ... what about a diary :D I was thinking more integrated revision control on configuration files actually ... > > > >>>Advantages : >>>- joe user connect with Admin account and manage the computer with admin >>>account. As Admin user doesn't have all the right root have, possible >>>damages will be less important : a "rm -fr" in / will have less >>>consequences ;) >>>- joe user only need to know root password for very specific task ( >>>kernel recompilation, driver installation, software compilation ). >> >>Not kernel compilation, only kernel intallation ... software compilation >>should not need sudo (that's too complicated, and more risky IMHO), but >>in msec 4 you need to be in ctools group anyway. > > > You misunderstood me. joe user will need root password and be logged as > root ( so no sudo, but su instead ) if he wants to do compilation ( > kernel, software ) > Joe user should not compile any software as root. Ever. It's too easy to trojan a Makefile. IMHO, neither should 'make install' be run as root (same reason). Instead, software should be installed by packages. > > >>>- we have an account we can customize and where we will be able to show >>>all needed informations ( security advisories, logs, security email, ... >>>) >> >>IMHO, at least the rights (ie sudo) need to be per group. > > > Several Admin ? so need when you have mail/security warning the mail > need to be send to all people belonging to this group. Or are you saying a company with 15000 employees and 200+ servers needs only one admin? >>And imagine if we could store sudo config in LDAP? > > This is for Server config. For desktop config it's too much. Why? Surely you want some users to have some rights on a machine, and other to have none? Maybe you want some users to be able to run something like mtink (to check ink levels on a printer), but you aren't willing to trust everyone else not to find an exploit in it? > having maximum things in one place is a good thing and as you can do > backup server it's not a too high risk. > > >>(well, at least it allows configuration for multiple hosts in one config >>file ... but it could be better). > > > Let's stay simple. For this there will have no group. It might be an idea to make it configurable. But, restricting it to per user makes the difference between scaling up to a large company, and scaling up to a real enterprise ... and large companies always like to plan for becoming an enterprise, so like to buy "scalable" products ... Regards, Buchan - -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/fatDrJK6UGDSBKcRAouEAJ9gCfq1adBCSYeKF8V4hIhJneDgDQCfaHeF uq9S85OHDZ94EICDPCEgLiQ= =OxFw -----END PGP SIGNATURE----- ***************************************************************** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. *****************************************************************
