From vadud3 at gmail.com Fri Feb 13 09:23:31 2009 From: vadud3 at gmail.com (Asif Iqbal) Date: Fri, 13 Feb 2009 09:23:31 -0500 Subject: [sudo-workers] Installing Application without full sudo privilege Message-ID: Hi All My application team needs to install Oracle on hosts. They are asking for full sudo privilege, so that they can install app as root. Is there a lesser privilege that you can suggest then user ALL=(ALL) ALL Thanks -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From blfarrell at ra.rockwell.com Fri Feb 13 10:17:20 2009 From: blfarrell at ra.rockwell.com (Brian L Farrell) Date: Fri, 13 Feb 2009 09:17:20 -0600 Subject: [sudo-workers] Installing Application without full sudo privilege In-Reply-To: Message-ID: Asif, If you setup the server properly (system settings for shared memory etc, account(s), group(s) etc). Then you only need root for the root.sh script. You can create a script to do the equivalent of the root.sh taking the oracle SID as an argument to do what you need done as root to support oracle installs. For information on analysis of locking down oracle you can check out project lockdown: http://www.oracle.com/technology/pub/articles/project_lockdown/index.html for more details. Then the sudo configuration is really only configuring it so that all dba's (controlled by a Unix group for simplicity) can run the oracle root command scripts: User_Alias DBALIST = %dbagroup Cmnd_Alias DBA_RUNAS_ROOT_COMMANDS = /path/to/oracle_root_commands_script DBA ALL = (root) DBA_RUNAS_ROOT_COMMANDS Hope this helps. Brian Farrell Asif Iqbal Sent by: sudo-workers-bounces at courtesan.com 02/13/2009 08:23 AM To sudo-users at sudo.ws, sudo-workers at sudo.ws cc Subject [sudo-workers] Installing Application without full sudo privilege Hi All My application team needs to install Oracle on hosts. They are asking for full sudo privilege, so that they can install app as root. Is there a lesser privilege that you can suggest then user ALL=(ALL) ALL Thanks -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ____________________________________________________________ sudo-workers mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-workers From vadud3 at gmail.com Fri Feb 13 12:16:40 2009 From: vadud3 at gmail.com (Asif Iqbal) Date: Fri, 13 Feb 2009 12:16:40 -0500 Subject: [sudo-workers] [sudo-users] Installing Application without full sudo privilege In-Reply-To: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> References: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> Message-ID: On Fri, Feb 13, 2009 at 11:43 AM, Makarand Dongare wrote: > First thing is that Oracle does not need to be installed as root. > There are couple of scripts that need to be run as rootpre.sh or > root.sh. Once you do that for app team, they do not need root access > for anything. > If you want to give them root access to run those scripts then give it as below: > > oracle servername=(root) full-path-for-command What if the path name is differnet for different env? Can I do it like this /*/root.sh for path? > > Hope this helps. > > Makarand Dongare > > > On 2/13/09, Asif Iqbal wrote: >> Hi All >> >> My application team needs to install Oracle on hosts. They are asking >> for full sudo privilege, so that they can install app as root. >> >> Is there a lesser privilege that you can suggest then >> user ALL=(ALL) ALL >> >> Thanks >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> ____________________________________________________________ >> sudo-users mailing list >> For list information, options, or to unsubscribe, visit: >> http://www.sudo.ws/mailman/listinfo/sudo-users >> > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From edgar.olvera at bbva.bancomer.com Fri Feb 13 13:24:07 2009 From: edgar.olvera at bbva.bancomer.com (Olvera Peralta Edgar Alfredo) Date: Fri, 13 Feb 2009 12:24:07 -0600 Subject: [sudo-workers] [sudo-users] Installing Application without fullsudo privilege References: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> Message-ID: <594C0BF852057C47AE7A4681657CD963028413D8@cbnocmsg01.cb.bbvabancomer.com.mx> >From a security point of view that's not recommended. Someone could create a malicious script called "root.sh" in any directory and you'd be allowing to run it as root. That is a serious risk. Regards, Edgar Olvera -----Mensaje original----- De: sudo-workers-bounces at courtesan.com [mailto:sudo-workers-bounces at courtesan.com] En nombre de Asif Iqbal Enviado el: Viernes, 13 de Febrero de 2009 11:17 a.m. Para: Makarand Dongare CC: sudo-users at sudo.ws; sudo-workers at sudo.ws Asunto: Re: [sudo-workers] [sudo-users] Installing Application without fullsudo privilege On Fri, Feb 13, 2009 at 11:43 AM, Makarand Dongare wrote: > First thing is that Oracle does not need to be installed as root. > There are couple of scripts that need to be run as rootpre.sh or > root.sh. Once you do that for app team, they do not need root access > for anything. > If you want to give them root access to run those scripts then give it as below: > > oracle servername=(root) full-path-for-command What if the path name is differnet for different env? Can I do it like this /*/root.sh for path? > > Hope this helps. > > Makarand Dongare > > > On 2/13/09, Asif Iqbal wrote: >> Hi All >> >> My application team needs to install Oracle on hosts. They are asking >> for full sudo privilege, so that they can install app as root. >> >> Is there a lesser privilege that you can suggest then >> user ALL=(ALL) ALL >> >> Thanks >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> ____________________________________________________________ >> sudo-users mailing list >> For list information, options, or to unsubscribe, visit: >> http://www.sudo.ws/mailman/listinfo/sudo-users >> > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ____________________________________________________________ sudo-workers mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-workers From vadud3 at gmail.com Fri Feb 13 14:03:39 2009 From: vadud3 at gmail.com (Asif Iqbal) Date: Fri, 13 Feb 2009 14:03:39 -0500 Subject: [sudo-workers] [sudo-users] Installing Application without fullsudo privilege In-Reply-To: <594C0BF852057C47AE7A4681657CD963028413D8@cbnocmsg01.cb.bbvabancomer.com.mx> References: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> <594C0BF852057C47AE7A4681657CD963028413D8@cbnocmsg01.cb.bbvabancomer.com.mx> Message-ID: On Fri, Feb 13, 2009 at 1:24 PM, Olvera Peralta Edgar Alfredo wrote: > >From a security point of view that's not recommended. Someone could > create a malicious script called "root.sh" in any directory and you'd be > allowing to run it as root. That is a serious risk. I realized that right after I hit the sent button. So basically even full path won't help if the user have write access to any of the parent dir. So /this/is/the/path/to/the/script.sh can be manipulated if the user have access to say /this/is/the. Is there a better way to give sudo priv to a script short of the whole path and hoping user can't or won't play with the path? > > Regards, > Edgar Olvera > > -----Mensaje original----- > De: sudo-workers-bounces at courtesan.com > [mailto:sudo-workers-bounces at courtesan.com] En nombre de Asif Iqbal > Enviado el: Viernes, 13 de Febrero de 2009 11:17 a.m. > Para: Makarand Dongare > CC: sudo-users at sudo.ws; sudo-workers at sudo.ws > Asunto: Re: [sudo-workers] [sudo-users] Installing Application without > fullsudo privilege > > On Fri, Feb 13, 2009 at 11:43 AM, Makarand Dongare > wrote: >> First thing is that Oracle does not need to be installed as root. >> There are couple of scripts that need to be run as rootpre.sh or >> root.sh. Once you do that for app team, they do not need root access >> for anything. >> If you want to give them root access to run those scripts then give it > as below: >> >> oracle servername=(root) full-path-for-command > > What if the path name is differnet for different env? Can I do it like > this /*/root.sh for path? > >> >> Hope this helps. >> >> Makarand Dongare >> >> >> On 2/13/09, Asif Iqbal wrote: >>> Hi All >>> >>> My application team needs to install Oracle on hosts. They are asking >>> for full sudo privilege, so that they can install app as root. >>> >>> Is there a lesser privilege that you can suggest then >>> user ALL=(ALL) ALL >>> >>> Thanks >>> >>> -- >>> Asif Iqbal >>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>> A: Because it messes up the order in which people normally read text. >>> Q: Why is top-posting such a bad thing? >>> ____________________________________________________________ >>> sudo-users mailing list >>> For list information, options, or to unsubscribe, visit: >>> http://www.sudo.ws/mailman/listinfo/sudo-users >>> >> > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > ____________________________________________________________ > sudo-workers mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-workers > ____________________________________________________________ > sudo-workers mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-workers > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From vadud3 at gmail.com Fri Feb 13 14:57:38 2009 From: vadud3 at gmail.com (Asif Iqbal) Date: Fri, 13 Feb 2009 14:57:38 -0500 Subject: [sudo-workers] [sudo-users] Installing Application without full sudo privilege In-Reply-To: <54f8e8a10902131156g67518b20mc7f5b1a116751758@mail.gmail.com> References: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> <54f8e8a10902131156g67518b20mc7f5b1a116751758@mail.gmail.com> Message-ID: On Fri, Feb 13, 2009 at 2:56 PM, Makarand Dongare wrote: > Just use root.sh without complete path as the oracle dba will need to > cd to the path and run as sudo ./root.sh. This way it should work > fine. very good idea !! > > > On 2/13/09, Asif Iqbal wrote: >> On Fri, Feb 13, 2009 at 11:43 AM, Makarand Dongare >> wrote: >>> First thing is that Oracle does not need to be installed as root. >>> There are couple of scripts that need to be run as rootpre.sh or >>> root.sh. Once you do that for app team, they do not need root access >>> for anything. >>> If you want to give them root access to run those scripts then give it as >>> below: >>> >>> oracle servername=(root) full-path-for-command >> >> What if the path name is differnet for different env? Can I do it like >> this /*/root.sh for path? >> >>> >>> Hope this helps. >>> >>> Makarand Dongare >>> >>> >>> On 2/13/09, Asif Iqbal wrote: >>>> Hi All >>>> >>>> My application team needs to install Oracle on hosts. They are asking >>>> for full sudo privilege, so that they can install app as root. >>>> >>>> Is there a lesser privilege that you can suggest then >>>> user ALL=(ALL) ALL >>>> >>>> Thanks >>>> >>>> -- >>>> Asif Iqbal >>>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>>> A: Because it messes up the order in which people normally read text. >>>> Q: Why is top-posting such a bad thing? >>>> ____________________________________________________________ >>>> sudo-users mailing list >>>> For list information, options, or to unsubscribe, visit: >>>> http://www.sudo.ws/mailman/listinfo/sudo-users >>>> >>> >> >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From vadud3 at gmail.com Fri Feb 13 14:58:41 2009 From: vadud3 at gmail.com (Asif Iqbal) Date: Fri, 13 Feb 2009 14:58:41 -0500 Subject: [sudo-workers] [sudo-users] Installing Application without full sudo privilege In-Reply-To: References: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> <54f8e8a10902131156g67518b20mc7f5b1a116751758@mail.gmail.com> Message-ID: On Fri, Feb 13, 2009 at 2:57 PM, Asif Iqbal wrote: > On Fri, Feb 13, 2009 at 2:56 PM, Makarand Dongare wrote: >> Just use root.sh without complete path as the oracle dba will need to >> cd to the path and run as sudo ./root.sh. This way it should work >> fine. > > very good idea !! wait! that is actually bad idea. I can have a file /tmp/root.sh and the content is exec bash user can cd to /tmo and run ./root.sh. I think /usr/alias is a safer path > >> >> >> On 2/13/09, Asif Iqbal wrote: >>> On Fri, Feb 13, 2009 at 11:43 AM, Makarand Dongare >>> wrote: >>>> First thing is that Oracle does not need to be installed as root. >>>> There are couple of scripts that need to be run as rootpre.sh or >>>> root.sh. Once you do that for app team, they do not need root access >>>> for anything. >>>> If you want to give them root access to run those scripts then give it as >>>> below: >>>> >>>> oracle servername=(root) full-path-for-command >>> >>> What if the path name is differnet for different env? Can I do it like >>> this /*/root.sh for path? >>> >>>> >>>> Hope this helps. >>>> >>>> Makarand Dongare >>>> >>>> >>>> On 2/13/09, Asif Iqbal wrote: >>>>> Hi All >>>>> >>>>> My application team needs to install Oracle on hosts. They are asking >>>>> for full sudo privilege, so that they can install app as root. >>>>> >>>>> Is there a lesser privilege that you can suggest then >>>>> user ALL=(ALL) ALL >>>>> >>>>> Thanks >>>>> >>>>> -- >>>>> Asif Iqbal >>>>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>>>> A: Because it messes up the order in which people normally read text. >>>>> Q: Why is top-posting such a bad thing? >>>>> ____________________________________________________________ >>>>> sudo-users mailing list >>>>> For list information, options, or to unsubscribe, visit: >>>>> http://www.sudo.ws/mailman/listinfo/sudo-users >>>>> >>>> >>> >>> >>> >>> -- >>> Asif Iqbal >>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>> A: Because it messes up the order in which people normally read text. >>> Q: Why is top-posting such a bad thing? >>> >> > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From mmdongare at gmail.com Fri Feb 13 11:43:07 2009 From: mmdongare at gmail.com (Makarand Dongare) Date: Fri, 13 Feb 2009 11:43:07 -0500 Subject: [sudo-workers] [sudo-users] Installing Application without full sudo privilege In-Reply-To: References: Message-ID: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> First thing is that Oracle does not need to be installed as root. There are couple of scripts that need to be run as rootpre.sh or root.sh. Once you do that for app team, they do not need root access for anything. If you want to give them root access to run those scripts then give it as below: oracle servername=(root) full-path-for-command Hope this helps. Makarand Dongare On 2/13/09, Asif Iqbal wrote: > Hi All > > My application team needs to install Oracle on hosts. They are asking > for full sudo privilege, so that they can install app as root. > > Is there a lesser privilege that you can suggest then > user ALL=(ALL) ALL > > Thanks > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > From mmdongare at gmail.com Fri Feb 13 14:56:10 2009 From: mmdongare at gmail.com (Makarand Dongare) Date: Fri, 13 Feb 2009 14:56:10 -0500 Subject: [sudo-workers] [sudo-users] Installing Application without full sudo privilege In-Reply-To: References: <54f8e8a10902130843k70f4e0e8ra269bfefcfee8842@mail.gmail.com> Message-ID: <54f8e8a10902131156g67518b20mc7f5b1a116751758@mail.gmail.com> Just use root.sh without complete path as the oracle dba will need to cd to the path and run as sudo ./root.sh. This way it should work fine. On 2/13/09, Asif Iqbal wrote: > On Fri, Feb 13, 2009 at 11:43 AM, Makarand Dongare > wrote: >> First thing is that Oracle does not need to be installed as root. >> There are couple of scripts that need to be run as rootpre.sh or >> root.sh. Once you do that for app team, they do not need root access >> for anything. >> If you want to give them root access to run those scripts then give it as >> below: >> >> oracle servername=(root) full-path-for-command > > What if the path name is differnet for different env? Can I do it like > this /*/root.sh for path? > >> >> Hope this helps. >> >> Makarand Dongare >> >> >> On 2/13/09, Asif Iqbal wrote: >>> Hi All >>> >>> My application team needs to install Oracle on hosts. They are asking >>> for full sudo privilege, so that they can install app as root. >>> >>> Is there a lesser privilege that you can suggest then >>> user ALL=(ALL) ALL >>> >>> Thanks >>> >>> -- >>> Asif Iqbal >>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>> A: Because it messes up the order in which people normally read text. >>> Q: Why is top-posting such a bad thing? >>> ____________________________________________________________ >>> sudo-users mailing list >>> For list information, options, or to unsubscribe, visit: >>> http://www.sudo.ws/mailman/listinfo/sudo-users >>> >> > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > From bambenek.infosec at gmail.com Fri Feb 27 00:10:02 2009 From: bambenek.infosec at gmail.com (John Bambenek) Date: Thu, 26 Feb 2009 23:10:02 -0600 Subject: [sudo-workers] Feature Request (expiration date of sudo rules) Message-ID: <49A775AA.5070008@gmail.com> I was wondering what the possibility of introducing a "drink by" date to a specific sudo rule is... For instance... root ALL=(ALL) ALL YYYYmmddhhmm And the functioning would basically check to see if the time is less than or equal to the timestamp given in the sudo file before giving access. It would be pretty useful in some enterprise settings I would imagine. Thoughts? From jotones at hotmail.com Fri Feb 27 05:21:12 2009 From: jotones at hotmail.com (=?iso-8859-1?Q?Jos=E9_Luis_Otones_Solla?=) Date: Fri, 27 Feb 2009 11:21:12 +0100 Subject: [sudo-workers] Feature Request (expiration date of sudo rules) In-Reply-To: <49A775AA.5070008@gmail.com> References: <49A775AA.5070008@gmail.com> Message-ID: Hi, >From our own experience, this feature would be very useful, as we must provide temporal access to some users specially during a weekend and you must always to remember to disable the rule. > Date: Thu, 26 Feb 2009 23:10:02 -0600 > From: bambenek.infosec at gmail.com > To: sudo-workers at sudo.ws > Subject: [sudo-workers] Feature Request (expiration date of sudo rules) > > I was wondering what the possibility of introducing a "drink by" date to > a specific sudo rule is... > > For instance... > > root ALL=(ALL) ALL YYYYmmddhhmm > > And the functioning would basically check to see if the time is less > than or equal to the timestamp given in the sudo file before giving > access. It would be pretty useful in some enterprise settings I would > imagine. > > Thoughts? > ____________________________________________________________ > sudo-workers mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-workers _________________________________________________________________ Descubre c?mo compartir tus fotos con Windows Live. ?Pru?balo ya! http://home.live.com/