On Fri, May 25, 2012 at 09:13:05AM BST, Denis Witt wrote: > sudo su must be disabled of course, also /etc/sudoers must be write > protected, even for root. This is no problem if you use chattr +i > /etc/sudoers.
/etc/sudoers file is read only by default. > But i think enable all commands and disallow some, line su and all known > shells ;), isn't a good way to go. I would like to disallow all commands by > default but allow some of them: What's wrong with specifying ONLY the commands which a user is allowed to run as root? > * restarting of web server > * editing of php.ini > * file transfer (ftp-ssl, sftp, http, etc.) > * chmod/chown (some files only) > * git, svn, rcs > * some editors > * apt-get install but not remove > * dpkg-reconfigure > > What else? What else is he supposed to do? > When i did some tests with sudoers i wasn't able to disallow certain commands > with parameters like: > > passwd root > > The only way was to disable passwd at all, which isn't nice. Is there another > way to allow some parameters for certain commands? Yes, simply specify the commands with their options: user host = /path/to/command option You might find aliases useful. man sudoers Cheers, -- rjc -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120525100851.ga13...@linuxstuff.pl
