[sudo-users] Question on functionality

Michael Potter pottmi at gmail.com
Thu Jan 17 23:24:03 EST 2008 

I am just thinking outloud here, but here are some ideas...

Correct me if I am wrong, but what you are after is not really
absolute security, but a way to help the dbas from doing something
"stupid".

Rather than renaming sudo, I would compile sudo with the #define
changed that defines the location of the sudoers file.  Then you would
rename the newly compiled sudo, to the hostname.  then you could
create a specific sudoers file for oracle work and leave the regular
sudoers files for system work.

You would not list the dbas in /etc/sudoers so they could not use sudo.

You may also want to consider NOT doing this with sudo.  You could
create a perl script that would do the checking you want and run the
command.  perl has outstanding support for setuid scripts (giyf: perl
taint mode).

For instance, in perl you could do things like check the time of day
and only allow commands to be run in production during certain times
of the day or when certain conditions are met.

-- 
Michael Potter


On Jan 13, 2008 10:13 PM, Phil Wild <philwild at gmail.com> wrote:
> Hello sudo-users,
>
> I am new to the list but have used sudo for simple task previously.
>
> I have a requirement to use sudo to protect production systems. We had
> an issue where a dba ran a command on a production host that he was
> supposed to run elsewhere. We are trying to come up with a way of
> making it hard for this type of thing to happen again.
>
> What I want to do is:
>
> Turn the oracle account into a role and remove the password.
> Set up the dba's so that they can run everything they want bar a
> certain list of commands as the oracle user.
> Allow them to do this without a password
>
> I am then going to rename sudo to the hostname so to run anything on
> the host they log into the host and type "hostname command parameters
> etc etc". This is going to be a bit painful will ensure they run what
> they run where they expect it to run...
>
> I think all the above is possible but I would be interested in
> comments on the concept...
>
> Also, the dba's set environment variable which point them to a target
> database for interactive commands. Any ideas on a way to handle this
> as I assume they will not be passed through the sudo command?
>
> Cheers
>
> Phil
>
> --
> Tel: 0400 466 952
> Fax: 0433 123 226
> email: philwild at gmail.com
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>

More information about the sudo-users mailing list