[sudo-users] Alias question

Michael Potter pottmi at gmail.com
Sun Sep 30 22:41:03 EDT 2007


I have not tried this, but what about this:

LVL1ADMIN ALL=(!%wheel)/bin/bash --login

I don't like !, so I would first try to do something like this:

LVL1ADMIN ALL=(%staff)/bin/bash --login

or maybe (%staff,!%wheel)



Presuming you have a group named staff;  this would prevent LVL1ADMIN
from logging in as system users such as mail.

To log in as "regular joe" the LVL1ADMIN would do this:
sudo -u regjoe /bin/bash --login

mail does not belong to staff so gets rejected
regjoe belongs to staff so is ok.
superjoe belongs to staff and wheel so gets rejected.

Consider the use of a tool called rootsh rather than bash.  then the
commands LVL1ADMIN runs as staff will be logged too.  periodically
review that log of training issues and opportunities for improvement
in procedures.

I would appreciate hearing if someone tries this.

-- 
Michael Potter

On 9/7/07, Galen Johnson <Galen.Johnson at sas.com> wrote:
> Todd would have to answer about the aliases but I don't believe this is
> possible in sudo.  You may have to get creative with the regular
> expressions associated with the commands.
>
> =G=
>
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com
> [mailto:sudo-users-bounces at courtesan.com] On Behalf Of jifan sun
> Sent: Friday, September 07, 2007 1:30 PM
> To: Galen Johnson; sudo-users at sudo.ws
> Subject: Re: [sudo-users] Alias question
>
> That's not really up to me, nor could we get approval to do this. The
> size of the enviroment
>   that's we're administering is vast, and that would be an
> understatement. More of a historical, political requirment, and a
> technical one. This is a spec. we're inheriting from a very old
> out-dated app. writtten by another co. that we really have no insight on
> exactly how or what, whs of what they did, just the customers technical
> specs for what needs to be provided for its replacement.
>
>   Not exactly on trackability, we already have a logging feature, that
> works... is it bullet proof? no, but its workable for the moment.
>
>   Actually we don't give out root passwd, so they do need to gain access
> via sudo already. The "unfounded" concern is that in this example "joe"
> a level one admin who is only supposed to be able to sudo to regular
> users to determine what type of problem the user is experiencing. What
> their requirement states is that "joe" should not be sudo su - john "as
> john is a level 3 admin with full root privledges". As stated before,
> I've already demonstrated, that at this point, if they attempted to sudo
> su - root they would need to know john's password, so the requirement
> holds no real merrit. (if they knew john's password already they would
> have just logged on as him in the first place). Basically a promotion,
> of privledges by unathorized methods issue.
>
>   The real question is why I can't use an alias, such as,  !/usr/bin/su
> *ADMINS*
> do I not just have a syntax issue, if so what is the correct syntax, or
> is it just not possible to do?
>
>
> Galen Johnson <Galen.Johnson at sas.com> wrote:
>   Why not just disable su entirely and handle it all via sudo...once
> they
> are su'd you lose all trackability. We typically disable su and the
> shells (so -s doesn't work).
>
> =G=
>
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com
> [mailto:sudo-users-bounces at courtesan.com] On Behalf Of jifan sun
> Sent: Friday, September 07, 2007 10:42 AM
> To: sudo-users at sudo.ws
> Subject: [sudo-users] Alias question
>
> We have several levels of admins at our sites. One requirment thats been
> requested is that
> the level1 admins only be allowed to sudo to non-root account, and
> also not be able to sudo to any higher level admin accounts.
>
> I took the example on the webstite.
>
> john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
>
> 1st modification, works just as expected. i.e. LVL1ADMIN is able to
> sudo to any user other than root or john.
> LVL1ADMIN ALL = /usr/bin/su [-]*, /usr/bin/su *, !/usr/bin/su
> *root*, !/usr/bin/su john
>
> Level 3 admins are identified as the ADMINS alias.
> LVL1ADMIN ALL = /usr/bin/su [-]*, /usr/bin/su *, !/usr/bin/su
> *root*, !/usr/bin/su *ADMINS*
>
> This doesn't work; I've tried several modifications to the above,
> however so far I've not been able to determine the exact syntax, if this
> is even possible to to, without explicitly listing each userid within
> the ADMINS group with !/usr/bin/su
>
> The reasoning behind the requirement, is that some are concerned that
> somehow LVL1ADMIN will be able to aquire the privledges of the ADMINS
> group; I've already demonstrated that this is not really possible,
> however that doesn't mean they're going to change the requirement.
>
> Thanks in advance!
>
>
> ---------------------------------
> Looking for a deal? Find great prices on flights and hotels with Yahoo!
> FareChase.
> ____________________________________________________________
> sudo-users mailing list
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
>
>
> ---------------------------------
> Building a website is a piece of cake.
> Yahoo! Small Business gives you all the tools to get online.
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>



More information about the sudo-users mailing list