[sudo-users] How does sudo improve security.

mlh at zip.com.au mlh at zip.com.au
Sat Apr 9 02:47:25 EDT 2005


On Fri, 8 Apr 2005 11:03:19 +0200
"Pico Geyer" <picog at softstart.co.za> wrote:
> Another problem that I have is that I don't know what to allow normal
> users to do. The way we are doing it currently is that all users have
> the root password. I agree that this is not the best of mechanisms, but
> we are a very small company and I am the self proclaimed system
> administrator. Any recommendations on how I should limit users.

At a /minimum/, you should allow everyone to sudo -s (i.e. start a shell as root)
and change the root password to something only you know.  At least that
way you will log when they use the feature.

The better way is to just give them what they need, and be prepared to
expand the list over some weeks.  It will settle down eventually.
This is the way to go if you basically trust them, technically as well
as ethically/professionally.   You don't want to annoy good employees
too much.

> Also any comments on a hacker gaining access to your account and then
> because your using sudo, the hackers job is made easy because he has
> more rights than he normally would?

The cracker's job (please, not hacker; that's something else) doesn't really
get more access because he would still need to know the employee's password.
Of course, it lowers the bar a little, because he only has to guess/discover
only one of a number of user's passwords.  So practice other good security;
like use ssh.  If you want to make it less brittle you can use other
authentication mechanisms like securid but that may be overkill for you.

Matt




More information about the sudo-users mailing list