Re: sudoer security problem on server
On Sun Mar 29, 2009 at 10:41:57 -0300, Eduardo M KALINOWSKI wrote: > This will allow them to run make as root. Not only they will be able to > install anywhere (not only under /usr/local), but they can run any > command by creating a Makefile that does what they want to do. Indeed. > If one wants to restrict access to a directory, file permissions (or > ACLs) are more efficient. Yes, and that is why the "staff" group exists. See the permissions on /usr/local. Bear in mind jumping from staff -> root isn't hard, but that is a separate issue. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sudoer security problem on server
* Eduardo M KALINOWSKI [2009 Mar 29 08:43 -0500]: > > %USER HOSTNAME=NOPASSWD: /usr/bin/make > > > > I replace USER and HOSTNAME with my local values. The sudoers man page > > is quite extensive as well. > > > > This will allow them to run make as root. Not only they will be able to > install anywhere (not only under /usr/local), but they can run any > command by creating a Makefile that does what they want to do. > > If one wants to restrict access to a directory, file permissions (or > ACLs) are more efficient. Good advice. Hey, I said I'm no expert and I was just tossing out an idea in the broader sense based on what I do locally. - Nate >> -- "The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true." Ham radio, Linux, bikes, and more: http://n0nb.us/index.html -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sudoer security problem on server
Nate Bargmann wrote: > I'm no security or sudo expert, but it seems to me that the devs should > only have access to the commands they need. For example if they need > to install to /usr/local/ using `make install' you can enable that > specific command. For example I did that for myself (single user box) > so that I could run `sudo make install|uninstall' without having to > enter my password: > > %USER HOSTNAME=NOPASSWD: /usr/bin/make > > I replace USER and HOSTNAME with my local values. The sudoers man page > is quite extensive as well. > This will allow them to run make as root. Not only they will be able to install anywhere (not only under /usr/local), but they can run any command by creating a Makefile that does what they want to do. If one wants to restrict access to a directory, file permissions (or ACLs) are more efficient. -- A musical reviewer admitted he always praised the first show of a new theatrical season. "Who am I to stone the first cast?" Eduardo M KALINOWSKI edua...@kalinowski.com.br -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sudoer security problem on server
* zhang zhengquan [2009 Mar 28 19:27 -0500]: > I wonder if a sysadmin should keep the root privilege safe and not > give sudo to anybody anybody else. and if there is more secure ways of > enabling root privilege to normal users? I'm no security or sudo expert, but it seems to me that the devs should only have access to the commands they need. For example if they need to install to /usr/local/ using `make install' you can enable that specific command. For example I did that for myself (single user box) so that I could run `sudo make install|uninstall' without having to enter my password: %USER HOSTNAME=NOPASSWD: /usr/bin/make I replace USER and HOSTNAME with my local values. The sudoers man page is quite extensive as well. - Nate >> -- "The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true." Ham radio, Linux, bikes, and more: http://n0nb.us/index.html -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sudoer security problem on server
* zhang zhengquan [2009 Mar 28 19:27 -0500]: > I wonder if a sysadmin should keep the root privilege safe and not > give sudo to anybody anybody else. and if there is more secure ways of > enabling root privilege to normal users? I'm no security or sudo expert, but it seems to me that the devs should only have access to the commands they need. For example if they need to install to /usr/local/ using `make install' you can enable that specific command. For example I did that for myself (single user box) so that I could run `sudo make install|uninstall' without having to enter my password: %USER HOSTNAME=NOPASSWD: /usr/bin/make I replace USER and HOSTNAME with my local values. The sudoers man page is quite extensive as well. - Nate >> -- "The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true." Ham radio, Linux, bikes, and more: http://n0nb.us/index.html -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sudoer security problem on server
2009/3/29 zhang zhengquan : > Hi, there, > I am exposed to a sudoer security problem on a server. > the server is running debian etch and every so often users on it > would ask me for sudoer permissions. > I would simply add > > username ALL=(ALL) ALL > user localhost = NOPASSWD: /path/to/command/without/password, /bin/kill PASSWD: /path/to/command/with/pass /bin/ls, /usr/bin/lprm Would be more appropriate. man sudoer for details. -- Regards, Sudev Barar Read http://blog.sudev.in for topics ranging from here to there. PS: I know most of people do not follow email niceties (mostly they are not aware) but if you follow bottom post/in-line post style of email conversations it becomes a whole lot easier to carry on meaningful dialogue and you can snip out what is not meaningful too. Most people just hit reply button and top post leaving prior message appended uselessly at bottom. See if you can adopt this style and persuade others. In case you are already doing this . great, spread the message. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
sudoer security problem on server
Hi, there, I am exposed to a sudoer security problem on a server. the server is running debian etch and every so often users on it would ask me for sudoer permissions. I would simply add username ALL=(ALL) ALL to the /etc/sudoers file. But now I am worried, it is a developement server that devs on it wants some privileges to install stuffs. but what I did is literally giving them root privileges. They can do anything they want on it although I guess they would not do anything malicious on it. I wonder if a sysadmin should keep the root privilege safe and not give sudo to anybody anybody else. and if there is more secure ways of enabling root privilege to normal users? Thanks for any pointers. Z -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
