[sudo-users] I want to limit root
mgdpz1 at gmail.com
Tue Nov 25 12:56:17 EST 2008
I am on Debian Etch, console helper works for Debian? If I deny
commands, i would be safer than allowing all, isn't it?
I can't use sudo because shorewall (my frontend iptables netfilter) it's
only usable with root, and i don't know how accept a normal user (i have
posted in shorewall-users mailing list and nobody known the response,
they say that i would have to ask here...).
Thank you very much for your help.
El mar, 25-11-2008 a las 16:27 +0100, christian.peper at kpn.com escribió:
> I'm assuming you're using Redhat/CentOS/Fedora, you don't say.
> If so, someone else mentioned the system utility consolehelper the other
> Consolehelper will lead any system command thru PAM authorization. Here
> is an example to get you started:
> This way, you can allow or deny using sudoers and use PAM to permit
> certain users to run certain commands. Haven't worked on this yet, but
> I'm thinking of redoing system security this way too. You'll have to
> config consolehelper *for every command* you'ld like to run as root.
> Sudo will also let a user run commands as another user, AFAIK
> consolehelper can't do that.
> If you do not use a redhat-flavor, I'm afraid it is a lot more complex.
> Generally, you use sudo to ALLOW things, not for denying things.
> And generally it is considered bad design to make a list of commands
> that are denied because there always is a way around that using input
> buffer overflow, sym links and the like.
> > -----Original Message-----
> > From: sudo-users-bounces at courtesan.com
> > [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manuel Gomez
> > Sent: Tuesday, November 25, 2008 3:45 PM
> > To: sudo-users
> > Subject: [sudo-users] I want to limit root
> > Hi, i am constantly using gksu and it's impossible for me
> > being secure in that way, so i am searching basics commands
> > neccesary for administrative matters.
> > For example: sh (sh scripts), cd, rm, cp, chmod, apt-get, bin
> > and sbin (software), and gksu.
> > How could I write this in sudoers? Somebody could help me?
> > Thank you very much, I appreciate your help.
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
More information about the sudo-users