restricting within command
Matthew Hannigan
Matthew.Hannigan at nl.abnamro.com
Mon Mar 20 10:17:27 EST 2000
Depends a lot on what user-name is on the NO_PASSWDS_CMNDS alias.
It would have to include user bin for instance, because that account
owns most of the binaries (easy to introduce trojans), and on some
unixes user bin can edit /etc/passwd. I think you would have to
enumerate every account with uid less than say, 20. Then there
are a lot of semi-admin accounts like those used for patrol
tivoli, openview etc. that are very sensitive. (i.e. compromising
them could lead to root privileges).
Best to explicitly allow and default deny than the other way around,
and I don't think you can do that with the sudousers syntax.
Regards,
-Matt
Martin_Scott at compuware.com on 20/03/2000 15:47:00
To: Matthew Hannigan/NL/ABNAMRO/NL at ABNAMRO,
Julian.Rogan at Unilever.com
cc: sudo-users at courtesan.com
Subject: RE: restricting within command
Julian,
I have used the following, I am not aware of any significant security
holes
that this will introduce (if you find one, please let me know):
User_Alias USER_ADMINS=user-admin-user-name
# All accounts in this group **** MUST **** have an entry in the
NO_PASSWD_CMNDS Cmnd_Alias:
User_Alias UNIX_ADMINS=user-name
# An entry ****MUST**** be made here for each account in the User_Alias
for
UNIX_ADMINS
Cmnd_Alias NO_PASSWD_CMNDS=/usr/bin/passwd root, /usr/bin/passwd
user-name
USER_ADMINS UNIX_HOSTS=USER_MAINT_CMNDS, !NO_PASSWD_CMNDS
My Unix's version of passwd will not prompt for a username, it will take
the
name as a parameter or default to the username running the command.
Martin
-----Original Message-----
From: Matthew Hannigan
[mailto:Matthew.Hannigan at nl.abnamro.com]
Sent: Monday, March 20, 2000 5:04 AM
To: Julian.Rogan
Cc: sudo-users
Subject: Re: restricting within command
Julian,
I think the standard thing to do is to write a
small
wrapper
which restricts the changes (by uid or group for
instance).
Regards,
-Matt
Julian.Rogan at Unilever.com on 20/03/2000 10:44:00
To: sudo-users at courtesan.com
cc: (bcc: Matthew Hannigan/NL/ABNAMRO/NL)
Subject: restricting within command
Hi,
I plan on allowing our helpdesk to change users passwords
using sudo as
the
means of allowing this privilege.
However, as someone just pointed out to me, the helpdesk
will also be
able to
change root's password.
So is there anyway of tightening the privilege in this one
respect.
regards
Julian
More information about the sudo-users
mailing list