Help configuring sudoers

[mlh]

Wiese, Maria wrote:
> I currently have the following sudoers file, which includes most of my
> support groups. I am not sure if it is the most secure configuration
> but I am just learning, and it is better that all having the root password. 
> I need suggestions on how to make it better, and a way to  add the DBA
> group . The dba's currently su to Oracle, but I rather 
> they run  the commands  from the own userids as Oracle without having to su
> to it. I would also like them to be able to execute some 
> commands as root.  How can I accomplish this ? . I am finding the manual
> pages confusing.

[ .. ]

> # USER alias gives permsissions to modify all user info
> # except root and possibly USA members because USA members
> # are given root permissions through SUDO.
> Cmnd_Alias      USER = /usr/sbin/user*, /usr/bin/passwd [A-z]*,  \
>                 /usr/bin/ch*, !/usr/bin/passwd root, !/usr/bin/ch* root
> 
> Cmnd_Alias      SU = !/usr/bin/su -, !/usr/bin/su - root, !/usr/bin/su
> 
[ .. ]


> SEC             ALL = (root) USER, SU
> %storage        ALL = (root) ALL, SU
> 

Using ! is so fraught with pitfalls I think it is a misfeature.
I never use it.

You're far better off defining what they can do, rather
than say "they can do everything except this".
"everything" is a lot.

For instance, the above would let people in SEC su to someone
in USA, and people in USA can su to root with authenticating
themselves! (that part I've deleted from your mail).

Also be very wary of allowing people to su or change the password
of other special accounts such as lp or bin, as those accounts
can be levered almost trivially into becoming root.

My advice is that you should write wrappers to the commands that
you want people to run.  These wrappers should check their args
before continuing. e.g. suwrapper could call su if and only if
the destination uid is greater than 500, or 100 or whatever your
normal accounts start at.


Matt