[sudo-users] Alias question

jifan sun sunjifan at yahoo.com
Fri Sep 7 13:29:53 EDT 2007


That's not really up to me, nor could we get approval to do this. The size of the enviroment
  that's we're administering is vast, and that would be an understatement. More of a historical, political requirment, and a technical one. This is a spec. we're inheriting from a very old out-dated app. writtten by another co. that we really have no insight on exactly how or what, whs of what they did, just the customers technical specs for what needs to be provided for its replacement.
   
  Not exactly on trackability, we already have a logging feature, that works... is it bullet proof? no, but its workable for the moment. 
   
  Actually we don't give out root passwd, so they do need to gain access via sudo already. The "unfounded" concern is that in this example "joe" a level one admin who is only supposed to be able to sudo to regular users to determine what type of problem the user is experiencing. What their requirement states is that "joe" should not be sudo su - john "as john is a level 3 admin with full root privledges". As stated before, I've already demonstrated, that at this point, if they attempted to sudo su - root they would need to know john's password, so the requirement holds no real merrit. (if they knew john's password already they would have just logged on as him in the first place). Basically a promotion, of privledges by unathorized methods issue.

  The real question is why I can't use an alias, such as,  !/usr/bin/su *ADMINS*
do I not just have a syntax issue, if so what is the correct syntax, or is it just not possible to do?
   
  
Galen Johnson <Galen.Johnson at sas.com> wrote:
  Why not just disable su entirely and handle it all via sudo...once they
are su'd you lose all trackability. We typically disable su and the
shells (so -s doesn't work).

=G=

-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of jifan sun
Sent: Friday, September 07, 2007 10:42 AM
To: sudo-users at sudo.ws
Subject: [sudo-users] Alias question

We have several levels of admins at our sites. One requirment thats been
requested is that
the level1 admins only be allowed to sudo to non-root account, and
also not be able to sudo to any higher level admin accounts.

I took the example on the webstite.

john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*

1st modification, works just as expected. i.e. LVL1ADMIN is able to
sudo to any user other than root or john.
LVL1ADMIN ALL = /usr/bin/su [-]*, /usr/bin/su *, !/usr/bin/su
*root*, !/usr/bin/su john

Level 3 admins are identified as the ADMINS alias.
LVL1ADMIN ALL = /usr/bin/su [-]*, /usr/bin/su *, !/usr/bin/su
*root*, !/usr/bin/su *ADMINS*

This doesn't work; I've tried several modifications to the above,
however so far I've not been able to determine the exact syntax, if this
is even possible to to, without explicitly listing each userid within
the ADMINS group with !/usr/bin/su

The reasoning behind the requirement, is that some are concerned that
somehow LVL1ADMIN will be able to aquire the privledges of the ADMINS
group; I've already demonstrated that this is not really possible,
however that doesn't mean they're going to change the requirement.

Thanks in advance!


---------------------------------
Looking for a deal? Find great prices on flights and hotels with Yahoo!
FareChase.
____________________________________________________________ 
sudo-users mailing list 
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users


       
---------------------------------
Building a website is a piece of cake. 
Yahoo! Small Business gives you all the tools to get online.


More information about the sudo-users mailing list