restricting within command

Matthew Hannigan Matthew.Hannigan at nl.abnamro.com
Mon Mar 20 10:17:27 EST 2000 

Depends a lot on what user-name is on the NO_PASSWDS_CMNDS alias.

It would have to include user bin for instance, because that account
owns most of the binaries (easy to introduce trojans), and on some
unixes user bin can edit /etc/passwd.  I think you would have to
enumerate every account with uid less than say, 20.   Then there
are a lot of semi-admin accounts like those used for patrol
tivoli, openview etc. that are very sensitive. (i.e. compromising
them could lead to root privileges).

Best to explicitly allow and default deny than the other way around,
and I don't think you can do that with the sudousers syntax.

Regards,
	-Matt







Martin_Scott at compuware.com on 20/03/2000 15:47:00
To:	Matthew Hannigan/NL/ABNAMRO/NL at ABNAMRO, 
Julian.Rogan at Unilever.com
cc:	sudo-users at courtesan.com 
Subject:	RE: restricting within command

Julian,

I have used the following, I am not aware of any significant security 
holes
that this will introduce (if you find one, please let me know): 

User_Alias      USER_ADMINS=user-admin-user-name

# All accounts in this group **** MUST **** have an entry in the
NO_PASSWD_CMNDS Cmnd_Alias:
User_Alias      UNIX_ADMINS=user-name

# An entry ****MUST**** be made here for each account in the User_Alias 
for
UNIX_ADMINS
Cmnd_Alias      NO_PASSWD_CMNDS=/usr/bin/passwd root, /usr/bin/passwd
user-name

USER_ADMINS             UNIX_HOSTS=USER_MAINT_CMNDS, !NO_PASSWD_CMNDS

My Unix's version of passwd will not prompt for a username, it will take 
the
name as a parameter or default to the username running the command.


Martin
		-----Original Message-----
		From:	Matthew Hannigan
[mailto:Matthew.Hannigan at nl.abnamro.com]
		Sent:	Monday, March 20, 2000 5:04 AM
		To:	Julian.Rogan
		Cc:	sudo-users
		Subject:	Re: restricting within command

		Julian,
			I think the standard thing to do is to write a 
small
wrapper
		which restricts the changes (by uid or group for 
instance).

		Regards,
			-Matt





		Julian.Rogan at Unilever.com on 20/03/2000 10:44:00
		To:	sudo-users at courtesan.com
		cc:	 (bcc: Matthew Hannigan/NL/ABNAMRO/NL)
		Subject:	restricting within command

		Hi,
		I plan on allowing our helpdesk to change users passwords
using sudo as 
		the
		means of allowing this privilege.
		However, as someone just pointed out to me, the helpdesk
will also be 
		able to
		change root's password.
		So is there anyway of tightening the privilege in this one
respect.

		regards


		Julian

More information about the sudo-users mailing list