[sudo-users] I want to limit root
christian.peper at kpn.com
christian.peper at kpn.com
Tue Nov 25 10:27:09 EST 2008
Manuel,
I'm assuming you're using Redhat/CentOS/Fedora, you don't say.
If so, someone else mentioned the system utility consolehelper the other
day.
Consolehelper will lead any system command thru PAM authorization. Here
is an example to get you started:
http://beranger.org/index.php?article=1958&page=3k
This way, you can allow or deny using sudoers and use PAM to permit
certain users to run certain commands. Haven't worked on this yet, but
I'm thinking of redoing system security this way too. You'll have to
config consolehelper *for every command* you'ld like to run as root.
Sudo will also let a user run commands as another user, AFAIK
consolehelper can't do that.
If you do not use a redhat-flavor, I'm afraid it is a lot more complex.
Generally, you use sudo to ALLOW things, not for denying things.
And generally it is considered bad design to make a list of commands
that are denied because there always is a way around that using input
buffer overflow, sym links and the like.
Chris.
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com
> [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manuel Gomez
> Sent: Tuesday, November 25, 2008 3:45 PM
> To: sudo-users
> Subject: [sudo-users] I want to limit root
>
> Hi, i am constantly using gksu and it's impossible for me
> being secure in that way, so i am searching basics commands
> neccesary for administrative matters.
>
> For example: sh (sh scripts), cd, rm, cp, chmod, apt-get, bin
> and sbin (software), and gksu.
>
> How could I write this in sudoers? Somebody could help me?
>
> Thank you very much, I appreciate your help.
>
More information about the sudo-users
mailing list