[sudo-users] Alias question

Galen Johnson Galen.Johnson at sas.com
Fri Sep 7 14:56:34 EDT 2007 

Todd would have to answer about the aliases but I don't believe this is
possible in sudo.  You may have to get creative with the regular
expressions associated with the commands.

=G=

-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of jifan sun
Sent: Friday, September 07, 2007 1:30 PM
To: Galen Johnson; sudo-users at sudo.ws
Subject: Re: [sudo-users] Alias question

That's not really up to me, nor could we get approval to do this. The
size of the enviroment
  that's we're administering is vast, and that would be an
understatement. More of a historical, political requirment, and a
technical one. This is a spec. we're inheriting from a very old
out-dated app. writtten by another co. that we really have no insight on
exactly how or what, whs of what they did, just the customers technical
specs for what needs to be provided for its replacement.
   
  Not exactly on trackability, we already have a logging feature, that
works... is it bullet proof? no, but its workable for the moment. 
   
  Actually we don't give out root passwd, so they do need to gain access
via sudo already. The "unfounded" concern is that in this example "joe"
a level one admin who is only supposed to be able to sudo to regular
users to determine what type of problem the user is experiencing. What
their requirement states is that "joe" should not be sudo su - john "as
john is a level 3 admin with full root privledges". As stated before,
I've already demonstrated, that at this point, if they attempted to sudo
su - root they would need to know john's password, so the requirement
holds no real merrit. (if they knew john's password already they would
have just logged on as him in the first place). Basically a promotion,
of privledges by unathorized methods issue.

  The real question is why I can't use an alias, such as,  !/usr/bin/su
*ADMINS*
do I not just have a syntax issue, if so what is the correct syntax, or
is it just not possible to do?
   
  
Galen Johnson <Galen.Johnson at sas.com> wrote:
  Why not just disable su entirely and handle it all via sudo...once
they
are su'd you lose all trackability. We typically disable su and the
shells (so -s doesn't work).

=G=

-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of jifan sun
Sent: Friday, September 07, 2007 10:42 AM
To: sudo-users at sudo.ws
Subject: [sudo-users] Alias question

We have several levels of admins at our sites. One requirment thats been
requested is that
the level1 admins only be allowed to sudo to non-root account, and
also not be able to sudo to any higher level admin accounts.

I took the example on the webstite.

john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*

1st modification, works just as expected. i.e. LVL1ADMIN is able to
sudo to any user other than root or john.
LVL1ADMIN ALL = /usr/bin/su [-]*, /usr/bin/su *, !/usr/bin/su
*root*, !/usr/bin/su john

Level 3 admins are identified as the ADMINS alias.
LVL1ADMIN ALL = /usr/bin/su [-]*, /usr/bin/su *, !/usr/bin/su
*root*, !/usr/bin/su *ADMINS*

This doesn't work; I've tried several modifications to the above,
however so far I've not been able to determine the exact syntax, if this
is even possible to to, without explicitly listing each userid within
the ADMINS group with !/usr/bin/su

The reasoning behind the requirement, is that some are concerned that
somehow LVL1ADMIN will be able to aquire the privledges of the ADMINS
group; I've already demonstrated that this is not really possible,
however that doesn't mean they're going to change the requirement.

Thanks in advance!


---------------------------------
Looking for a deal? Find great prices on flights and hotels with Yahoo!
FareChase.
____________________________________________________________ 
sudo-users mailing list 
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users


       
---------------------------------
Building a website is a piece of cake. 
Yahoo! Small Business gives you all the tools to get online.
____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list