restricting within command
Matthew.Hannigan at nl.abnamro.com
Mon Mar 20 10:17:27 EST 2000
Depends a lot on what user-name is on the NO_PASSWDS_CMNDS alias.
It would have to include user bin for instance, because that account
owns most of the binaries (easy to introduce trojans), and on some
unixes user bin can edit /etc/passwd. I think you would have to
enumerate every account with uid less than say, 20. Then there
are a lot of semi-admin accounts like those used for patrol
tivoli, openview etc. that are very sensitive. (i.e. compromising
them could lead to root privileges).
Best to explicitly allow and default deny than the other way around,
and I don't think you can do that with the sudousers syntax.
Martin_Scott at compuware.com on 20/03/2000 15:47:00
To: Matthew Hannigan/NL/ABNAMRO/NL at ABNAMRO,
Julian.Rogan at Unilever.com
cc: sudo-users at courtesan.com
Subject: RE: restricting within command
I have used the following, I am not aware of any significant security
that this will introduce (if you find one, please let me know):
# All accounts in this group **** MUST **** have an entry in the
# An entry ****MUST**** be made here for each account in the User_Alias
Cmnd_Alias NO_PASSWD_CMNDS=/usr/bin/passwd root, /usr/bin/passwd
USER_ADMINS UNIX_HOSTS=USER_MAINT_CMNDS, !NO_PASSWD_CMNDS
My Unix's version of passwd will not prompt for a username, it will take
name as a parameter or default to the username running the command.
From: Matthew Hannigan
[mailto:Matthew.Hannigan at nl.abnamro.com]
Sent: Monday, March 20, 2000 5:04 AM
Subject: Re: restricting within command
I think the standard thing to do is to write a
which restricts the changes (by uid or group for
Julian.Rogan at Unilever.com on 20/03/2000 10:44:00
To: sudo-users at courtesan.com
cc: (bcc: Matthew Hannigan/NL/ABNAMRO/NL)
Subject: restricting within command
I plan on allowing our helpdesk to change users passwords
using sudo as
means of allowing this privilege.
However, as someone just pointed out to me, the helpdesk
will also be
change root's password.
So is there anyway of tightening the privilege in this one
More information about the sudo-users