[sudo-users] Question on functionality
Phil Wild
philwild at gmail.com
Thu Jan 17 23:38:02 EST 2008
Thanks for the response Michael,
I was after a little bit of both. I don't want to make it hard for
them to do their job. What we have done is taken a more simplistic
approach and made sure that if they are on a production system, the
background is red (set in their prompt). Hopefully that is enough.
On 18/01/2008, Michael Potter <pottmi at gmail.com> wrote:
> I am just thinking outloud here, but here are some ideas...
>
> Correct me if I am wrong, but what you are after is not really
> absolute security, but a way to help the dbas from doing something
> "stupid".
>
> Rather than renaming sudo, I would compile sudo with the #define
> changed that defines the location of the sudoers file. Then you would
> rename the newly compiled sudo, to the hostname. then you could
> create a specific sudoers file for oracle work and leave the regular
> sudoers files for system work.
>
> You would not list the dbas in /etc/sudoers so they could not use sudo.
>
> You may also want to consider NOT doing this with sudo. You could
> create a perl script that would do the checking you want and run the
> command. perl has outstanding support for setuid scripts (giyf: perl
> taint mode).
>
> For instance, in perl you could do things like check the time of day
> and only allow commands to be run in production during certain times
> of the day or when certain conditions are met.
>
> --
> Michael Potter
>
>
> On Jan 13, 2008 10:13 PM, Phil Wild <philwild at gmail.com> wrote:
> > Hello sudo-users,
> >
> > I am new to the list but have used sudo for simple task previously.
> >
> > I have a requirement to use sudo to protect production systems. We had
> > an issue where a dba ran a command on a production host that he was
> > supposed to run elsewhere. We are trying to come up with a way of
> > making it hard for this type of thing to happen again.
> >
> > What I want to do is:
> >
> > Turn the oracle account into a role and remove the password.
> > Set up the dba's so that they can run everything they want bar a
> > certain list of commands as the oracle user.
> > Allow them to do this without a password
> >
> > I am then going to rename sudo to the hostname so to run anything on
> > the host they log into the host and type "hostname command parameters
> > etc etc". This is going to be a bit painful will ensure they run what
> > they run where they expect it to run...
> >
> > I think all the above is possible but I would be interested in
> > comments on the concept...
> >
> > Also, the dba's set environment variable which point them to a target
> > database for interactive commands. Any ideas on a way to handle this
> > as I assume they will not be passed through the sudo command?
> >
> > Cheers
> >
> > Phil
> >
> > --
> > Tel: 0400 466 952
> > Fax: 0433 123 226
> > email: philwild at gmail.com
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws>
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
>
--
Tel: 0400 466 952
Fax: 0433 123 226
email: philwild at gmail.com
More information about the sudo-users
mailing list