Re: Need Suggestion: To limit the access of root account
Hi, absolutly, sudo is highly recommended, & powerfull. you can give many commands to each users, different permitions for each, etc.. Defaults:ALL timestamp_timeout=0 permit permission to be back to user state after each sudo action so a user must redo another sudo if he need a second root permission level command. this is a simple security improvement. here is a very simple example : Defaultsenv_reset,tty_tickets # Host alias specification Host_Alias HOST = jaunty Host_Alias LAN = 192.168.1.0/255.255.255.0 Host_Alias HOME = HOST,LAN # User alias specification # Cmnd alias specification Cmnd_Alias CRYPT = /usr/bin/truecrypt Cmnd_Alias USBDEV = /usr/bin/unetbootin,/usr/bin/gnome-format Cmnd_Alias APT = /usr/bin/apt-get update,/usr/bin/apt-get upgrade Cmnd_Alias UPDATES = /usr/bin/update-manager Cmnd_Alias FUSE= /usr/bin/Gmount-iso Cmnd_Alias MYPROGS = CRYPT,USBDEV,APT,UPDATES,FUSE # User privilege specification rootALL=(ALL) ALL # Members of the admin group may gain root privileges %admin HOME=(root) ALL %admin HOME=(root) NOEXEC:/usr/bin/vim iain HOME=(root) NOPASSWD:MYPROGS You can see here this is secured by host restricted permissions, lan restrictions, & strict list of programs to be allowed to be launched. > > From: Jordi > Sent: Wed May 04 08:33:33 CEST 2011 > To: > Subject: Re: Need Suggestion: To limit the access of root account > > > man sudo for granular permissions. > > Then man sh or man ksh or whatever shell you want to use to create a > really simple script to show the required options. > Cordialement Francois Pussault 3701 - 8 rue Marcel Pagnol 31100 ToulouseB FranceB +33 6 17 230 820 B +33 5 34 365 269 fpussa...@contactoffice.fr
Re: Need Suggestion: To limit the access of root account
man sudo for granular permissions. Then man sh or man ksh or whatever shell you want to use to create a really simple script to show the required options.
Re: Need Suggestion: To limit the access of root account
On Fri, 29 Apr 2011 12:05:24 + (UTC) Stuart Henderson wrote: > This sort of menu might make things a little easier but it's not going > to make them safer, people can do quite enough damage with just these > options. > Yeah, you can give read access to your users to the devices or log files required by tcpdump. But it expects root and will exit anyway. Running this especially as root on a firewall is not a brilliant idea. > If your colleagues are familiar with cisco-style CLI it might be > worth looking at nsh to make it easier for them, but if they're going > to have to learn from scratch whatever you do, it's probably more > useful to teach them the native tools. Yep those skills will be far more functional and will for the most part work on other far more cost effective and as or more useful applicances and for completely seperate uses too.
Re: Need Suggestion: To limit the access of root account
On Fri, Apr 29, 2011 at 07:05, Stuart Henderson wrote: > On 2011-04-29, Stefan N wrote: >> I would need some suggestions from you. Currently I am setting up OpenBSD >> Firewall using PF at my working place. Make sure your backups are current, and done daily...
Re: Need Suggestion: To limit the access of root account
On 2011-04-29, Stefan N wrote: > I would need some suggestions from you. Currently I am setting up OpenBSD > Firewall using PF at my working place. > However, some of my colleagues are not so familiar with the OpenBSD and we > would > like to take turn to do that. I have the intention that I would like to limit > the usage and access the root account. > > I have intention to give them the 'more than enough' access for them to do > daily > administrative tasks as firewall admin like: > 1.View/Configure IP Address, Subnet of network interface,VLAN and CARP > 2.View/Configure default gateway and static route > 3.View/Change the entry of DNS Server IP > 4.Configure Syslog > 5.Add/Remove PF rule > 6.Backup/Restore > 8.Viewing traffic using tcpdump This sort of menu might make things a little easier but it's not going to make them safer, people can do quite enough damage with just these options. If your colleagues are familiar with cisco-style CLI it might be worth looking at nsh to make it easier for them, but if they're going to have to learn from scratch whatever you do, it's probably more useful to teach them the native tools.
Re: Need Suggestion: To limit the access of root account
On Fri, Apr 29, 2011 at 6:29 AM, Stefan N wrote: > Hi guys, > > Noted and thanks for your suggestions. Probably mostly every so called corporate admin is working with Cisco and there's what? iOS -> terminal -> commands In fact it looks like you need only couple of commands for them so sudo/sudoers will be great for them and they have man pages on web, in system and faq. They will learn a lot from them and they have chance to be good admins because of that (if they want to learn of course). Eg. with RBAC in Solaris you have more fine grained control and there are already profiles for similar tasks prepared so it's quicker to get what you want, but same is possible with sudo and traditional Unix security model (not all). > > Regards, > Stefan > > > > > > > From: Stefan N > To: misc@openbsd.org > Sent: Fri, April 29, 2011 10:52:32 AM > Subject: Need Suggestion: To limit the access of root account > > > Hi All, > > I would need some suggestions from you. Currently I am setting up OpenBSD > Firewall using PF at my working place. > However, some of my colleagues are not so familiar with the OpenBSD and we would > like to take turn to do that. I have the intention that I would like to limit > the usage and access the root account. > > I have intention to give them the 'more than enough' access for them to do daily > administrative tasks as firewall admin like: > 1.View/Configure IP Address, Subnet of network interface,VLAN and CARP > 2.View/Configure default gateway and static route > 3.View/Change the entry of DNS Server IP > 4.Configure Syslog > 5.Add/Remove PF rule > 6.Backup/Restore > 8.Viewing traffic using tcpdump > > Is that possible to make some CLI Menu which will appear to the B fw admin after > the login as long as they can do their job. > Example: > > OpenBSD/i386 > > login:bob > password: > > Please select the task below: > > 1>View/Configure IP Address, Subnet of network interface,VLAN and CARP > 2>View/Configure default gateway and static route > 3>View/Change the entry of DNS Server IP > 4>Configure Syslog > 5>Add/Remove PF rule > 6>Backup/Restore > 7>Viewing traffic using tcpdump > 8>Logout > > Or is there a better way to limit the usage and access of root account by fw > admin? > > My intention is: I would like to give enough access for the fw admin to do their > job using a simple way. > > Thank you in advance. > > Regards, > Stefan
Re: Need Suggestion: To limit the access of root account
Somebody claiming to be Mehma Sarja wrote: > On 4/28/11 7:52 PM, Stefan N wrote: > >Hi All, > > > >I would need some suggestions from you. Currently I am setting up OpenBSD > >Firewall using PF at my working place. > >However, some of my colleagues are not so familiar with the OpenBSD and we > >would > >like to take turn to do that. I have the intention that I would like to limit > >the usage and access the root account. > > Use the sudoers file. Give them access to only the files they are allowed to use. Trickle functionality in as demanded. --Sean
Re: Need Suggestion: To limit the access of root account
Hi guys, Noted and thanks for your suggestions. Regards, Stefan From: Stefan N To: misc@openbsd.org Sent: Fri, April 29, 2011 10:52:32 AM Subject: Need Suggestion: To limit the access of root account Hi All, I would need some suggestions from you. Currently I am setting up OpenBSD Firewall using PF at my working place. However, some of my colleagues are not so familiar with the OpenBSD and we would like to take turn to do that. I have the intention that I would like to limit the usage and access the root account. I have intention to give them the 'more than enough' access for them to do daily administrative tasks as firewall admin like: 1.View/Configure IP Address, Subnet of network interface,VLAN and CARP 2.View/Configure default gateway and static route 3.View/Change the entry of DNS Server IP 4.Configure Syslog 5.Add/Remove PF rule 6.Backup/Restore 8.Viewing traffic using tcpdump Is that possible to make some CLI Menu which will appear to the fw admin after the login as long as they can do their job. Example: OpenBSD/i386 login:bob password: Please select the task below: 1>View/Configure IP Address, Subnet of network interface,VLAN and CARP 2>View/Configure default gateway and static route 3>View/Change the entry of DNS Server IP 4>Configure Syslog 5>Add/Remove PF rule 6>Backup/Restore 7>Viewing traffic using tcpdump 8>Logout Or is there a better way to limit the usage and access of root account by fw admin? My intention is: I would like to give enough access for the fw admin to do their job using a simple way. Thank you in advance. Regards, Stefan
Re: Need Suggestion: To limit the access of root account
On 04/28/11 22:52, Stefan N wrote: Hi All, I would need some suggestions from you. Currently I am setting up OpenBSD Firewall using PF at my working place. However, some of my colleagues are not so familiar with the OpenBSD and we would like to take turn to do that. I have the intention that I would like to limit the usage and access the root account. I have intention to give them the 'more than enough' access for them to do daily administrative tasks as firewall admin like: 1.View/Configure IP Address, Subnet of network interface,VLAN and CARP 2.View/Configure default gateway and static route 3.View/Change the entry of DNS Server IP 4.Configure Syslog 5.Add/Remove PF rule 6.Backup/Restore 8.Viewing traffic using tcpdump Is that possible to make some CLI Menu which will appear to the fw admin after the login as long as they can do their job. Example: OpenBSD/i386 login:bob password: Please select the task below: 1>View/Configure IP Address, Subnet of network interface,VLAN and CARP 2>View/Configure default gateway and static route 3>View/Change the entry of DNS Server IP 4>Configure Syslog 5>Add/Remove PF rule 6>Backup/Restore 7>Viewing traffic using tcpdump 8>Logout Or is there a better way to limit the usage and access of root account by fw admin? My intention is: I would like to give enough access for the fw admin to do their job using a simple way. Thank you in advance. Regards, Stefan I have seen multiple attempts to do things like this. I've made money, cleaning up after people who bungled things with such things. Really, you'd be far better off teaching them how to actually deal with how to administrate OpenBSD systems. You could get cheap Dell's ($25 - $40 last time I looked) for each person and let them bang on them and learn. Root is powerful, and on production systems one little slip can cost a lot of money. TEACHING people how to deal with things is far better than some kind of pseudo-jail to keep the animals in their cages. --STeve Andre'
Re: Need Suggestion: To limit the access of root account
On 4/28/11 7:52 PM, Stefan N wrote: Hi All, I would need some suggestions from you. Currently I am setting up OpenBSD Firewall using PF at my working place. However, some of my colleagues are not so familiar with the OpenBSD and we would like to take turn to do that. I have the intention that I would like to limit the usage and access the root account. I have intention to give them the 'more than enough' access for them to do daily administrative tasks as firewall admin like: 1.View/Configure IP Address, Subnet of network interface,VLAN and CARP 2.View/Configure default gateway and static route 3.View/Change the entry of DNS Server IP 4.Configure Syslog 5.Add/Remove PF rule 6.Backup/Restore 8.Viewing traffic using tcpdump Is that possible to make some CLI Menu which will appear to the fw admin after the login as long as they can do their job. Example: OpenBSD/i386 login:bob password: Please select the task below: 1>View/Configure IP Address, Subnet of network interface,VLAN and CARP 2>View/Configure default gateway and static route 3>View/Change the entry of DNS Server IP 4>Configure Syslog 5>Add/Remove PF rule 6>Backup/Restore 7>Viewing traffic using tcpdump 8>Logout Or is there a better way to limit the usage and access of root account by fw admin? My intention is: I would like to give enough access for the fw admin to do their job using a simple way. Thank you in advance. Regards, Stefan If you are new to pf - try pfsense.org - although that's based on FreeBSD. It has nice web GUI and gobs of functionality. mehma
Need Suggestion: To limit the access of root account
Hi All, I would need some suggestions from you. Currently I am setting up OpenBSD Firewall using PF at my working place. However, some of my colleagues are not so familiar with the OpenBSD and we would like to take turn to do that. I have the intention that I would like to limit the usage and access the root account. I have intention to give them the 'more than enough' access for them to do daily administrative tasks as firewall admin like: 1.View/Configure IP Address, Subnet of network interface,VLAN and CARP 2.View/Configure default gateway and static route 3.View/Change the entry of DNS Server IP 4.Configure Syslog 5.Add/Remove PF rule 6.Backup/Restore 8.Viewing traffic using tcpdump Is that possible to make some CLI Menu which will appear to the fw admin after the login as long as they can do their job. Example: OpenBSD/i386 login:bob password: Please select the task below: 1>View/Configure IP Address, Subnet of network interface,VLAN and CARP 2>View/Configure default gateway and static route 3>View/Change the entry of DNS Server IP 4>Configure Syslog 5>Add/Remove PF rule 6>Backup/Restore 7>Viewing traffic using tcpdump 8>Logout Or is there a better way to limit the usage and access of root account by fw admin? My intention is: I would like to give enough access for the fw admin to do their job using a simple way. Thank you in advance. Regards, Stefan