[sudo-users] I want to limit root

christian.peper at kpn.com christian.peper at kpn.com
Wed Nov 26 03:23:58 EST 2008 

Manuel,

I think the first question is:
- what do you want to do?
Then comes the "how can I do that?".

If you want to enable users to safely set the firewall without harming anything else, maybe you can also use a jail or utilize the suid bit.

That's a bit off topic for this list, so I'll continue off list on this. :P)
Christian.

> -----Original Message-----
> From: Manuel Gomez [mailto:mgdpz1 at gmail.com] 
> Sent: Tuesday, November 25, 2008 6:56 PM
> To: Peper, J.C.A. (Christian) (IT I&O System Engineering)
> Cc: sudo-users at sudo.ws
> Subject: Re: [sudo-users] I want to limit root
> 
> I am on Debian Etch, console helper works for Debian? If I 
> deny commands, i would be safer than allowing all, isn't it?
> 
> I can't use sudo because shorewall (my frontend iptables 
> netfilter) it's only usable with root, and i don't know how 
> accept a normal user (i have posted in shorewall-users 
> mailing list and nobody known the response, they say that i 
> would have to ask here...).
> 
> Thank you very much for your help.
> 
> El mar, 25-11-2008 a las 16:27 +0100, christian.peper at kpn.com 
> escribió:
> >  Manuel,
> > 
> > I'm assuming you're using Redhat/CentOS/Fedora, you don't say.
> > If so, someone else mentioned the system utility consolehelper the 
> > other day.
> > Consolehelper will lead any system command thru PAM authorization. 
> > Here is an example to get you started:
> > http://beranger.org/index.php?article=1958&page=3k
> > 
> > This way, you can allow or deny using sudoers and use PAM to permit 
> > certain users to run certain commands. Haven't worked on 
> this yet, but 
> > I'm thinking of redoing system security this way too. 
> You'll have to 
> > config consolehelper *for every command* you'ld like to run as root.
> > 
> > Sudo will also let a user run commands as another user, AFAIK 
> > consolehelper can't do that.
> > 
> > If you do not use a redhat-flavor, I'm afraid it is a lot 
> more complex.
> > Generally, you use sudo to ALLOW things, not for denying things.
> > And generally it is considered bad design to make a list of 
> commands 
> > that are denied because there always is a way around that 
> using input 
> > buffer overflow, sym links and the like.
> > 
> > Chris.
> > > -----Original Message-----
> > > From: sudo-users-bounces at courtesan.com 
> > > [mailto:sudo-users-bounces at courtesan.com] On Behalf Of 
> Manuel Gomez
> > > Sent: Tuesday, November 25, 2008 3:45 PM
> > > To: sudo-users
> > > Subject: [sudo-users] I want to limit root
> > > 
> > > Hi, i am constantly using gksu and it's impossible for me being 
> > > secure in that way, so i am searching basics commands 
> neccesary for 
> > > administrative matters.
> > > 
> > > For example: sh (sh scripts), cd, rm, cp, chmod, apt-get, bin and 
> > > sbin (software), and gksu.
> > > 
> > > How could I write this in sudoers? Somebody could help me?
> > > 
> > > Thank you very much, I appreciate your help.
> > > 
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws> For list information, 
> > options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> 
>

More information about the sudo-users mailing list