Gregory K. Ruiz-Ade wrote:
On Aug 2, 2008, at 2:00 AM, Ralph Shumaker wrote:
Well, then, if I am getting this correctly:
If I want rafael to be able to run ALL commands as (ALL) users, but
only from the local machine (i.e. *not* if connected in from some
remote machine), then in sudoers, I can use:
rafael localhost = (ALL) ALL
No. The hostname field is there because sudoers files are typically
distributed to multiple systems (like we do at UCSD; we write one
sudoers file and send it everywhere).
The hostname field is used to match against the local system's
hostname. This allows you to have a single sudoer's file that grants
different rights on different hosts. It has nothing to do with what
host you're connecting from.
From the sudoers (5) manpage:
-----
A Host_List is made up of one or more hostnames, IP addresses, network
numbers, netgroups (prefixed with '+') and other aliases. Again, the
value of an item may be negated with the '!' operator. If you do not
specify a netmask with a network number, the netmask of the host's
eth- ernet interface(s) will be used when matching. The netmask may be
specified either in dotted quad notation (e.g. 255.255.255.0) or CIDR
notation (number of bits, e.g. 24). A hostname may include shell-style
wildcards (see the Wildcards section below), but unless the hostname
command on your machine returns the fully qualified hostname, you'll
need to use the fqdn option for wildcards to be useful.
-----
Gregory
I'm not sure then what I need to do. I want to allow user "rafael" to
sudo all commands, but not if rafael has been cracked remotely. I want
to limit rafael's use of sudo such that he must be here, sitting where I
am right now, in front of the machine.
ifconfig shows lo and eth0. eth0 address is set by my DSL provider and
changes (infrequently).
How can I achieve what I want?
The manuals have enlightened me on some things, but confused me on many
others. I want rafael to have full sudo access, but only if he is at
this keyboard I am using right now, regardless of whatever IPv4 (or
IPv6) address is currently assigned to eth0 by my DSL ISP. I don't know
if the IPv6 address ever changes. I haven't paid attention. If it
doesn't, perhaps I can somehow use that to lock it in?
--
Ralph
--------------------
Once the premise is accepted that poverty is never the fault of the poor
but the fault of ‘society’, or of ‘the capitalist system,’ then there is
no definable limit to be set on relief, and the politicians who want to
be elected or reelected will compete with each other in proposing new
‘welfare’ programs to fill some hitherto ‘unmet need.’
--Henry Hazlitt
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
