Restricting access with sudo

mlh at mlh at
Fri Dec 6 00:10:10 EST 2002

Please, no html.

On Mon, Dec 02, 2002 at 02:00:41AM +0000, Jack Mai wrote:
> I am, trying to implement the following all our Oracle
> Database Administrator to sudo to the user "oracle"
> start a new ksh as Oracle and then be able to carry out
> all Oracle functions except deleting files (i.e. rm)
> and I have therefore added the following enties to my
> sodo config file but it does not seem to work The config
> below allows either dba1 or dba2 to sudo to Oracle (ksh)
> to execute all commands as oracle but not /usr/bin/rm :
>       dba1 ncsper01 = (oracle) ALL, !/usr/bin/rm
>       dba2 ncsper01 = (oracle) ALL, !/usr/bin/rm

Using ! in sudo rules is fraught with peril, I'd suggest
that you do not use it.  In this case, once the user
have use of ksh, they're beyond the influence of sudo.

Instead, enumerate everything that they need to do
and put those things in sudoers.  After making sure
that those commands are free of security holes themselves.

If this sounds like a lot of work, you're right it is.

You have to trust your DBAs in a lot of ways, you might
as well trust them to 'rm' whatever they can.  ie. forget
about using sudo.


More information about the sudo-users mailing list