restricting within command
Matthew.Hannigan at nl.abnamro.com
Matthew.Hannigan at nl.abnamro.com
Fri May 19 05:41:47 EDT 2000
This rule is not restrictive enough
for good security!
See
http://www.courtesan.com/pipermail/sudo-users/2000-April/000133.html
There is a philosophical problem underlying this.
You are allowing anything you don't explicitly deny.
You should be denying anything you don't explicitly allow.
Regards,
-Matt
bjuda at lucent.com on 17/05/2000 22:18:06
To: sudo-users at courtesan.com
cc: (bcc: Matthew Hannigan/NL/ABNAMRO/NL)
Subject: Re: restricting within command
"julian.rogan" wrote:
>
> I plan on allowing our helpdesk to change users passwords using sudo as the
> means of allowing this privilege.
> However, as someone just pointed out to me, the helpdesk will also be able to
> change root's password.
> So is there anyway of tightening the privilege in this one respect.
I have the command listed as follows in /etc/sudoers:
/bin/passwd [a-z]*,!/bin/passwd root,.........
The NOT (!) construction applies the exception needed.
- Burt
_______________________________________________
sudo-users mailing list
sudo-users at courtesan.com
http://www.courtesan.com/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list