[sudo-users] Regarding permissions

Tushar Abraham Mathew तुशार एब्रहाम माथ्यू tusharm at cdac.in
Thu Sep 4 01:32:54 EDT 2008 

Hi Mathew,


On Tue, 2008-09-02 at 07:41 -0400, Matthew Stier wrote:
> Tushar Abraham Mathew ????? ??????? ?????? wrote:
> > Hi all,
> >          I have been trying to edit my sudoers  file for the first time
> > for allowing access to my machine to some people. This is what my file
> > looks like - 
> >
> >
> >
> >
> > # sudoers file.
> > #
> > # This file MUST be edited with the 'visudo' command as root.
> > #
> > # See the sudoers man page for the details on how to write a sudoers file.
> > #
> >  
> > # Host alias specification
> >  
> > # User alias specification
> > User_Alias ADMIN = amol,nimmi
> >  
> > # Cmnd alias specification
> > Cmnd_Alias SHELLS = usr/local/bin/bash,/bin/csh,/bin/tcsh
> >   
> Typo in the definition of 'bash'
> > Cmnd_Alias COMMANDS = /bin/rm,/usr/sbin/adduser,/usr/sbin/rmuser,/usr/local/sbin/visudo
> >  
> >  
> > # Defaults specification
> >  
> > # Runas alias specification
> > Runas_Alias  SYSADMIN = amol, nimmi
> >
> >
> > # User privilege specification
> > root    ALL=(ALL) ALL
> > john    ALL=(ALL)  ALL
> > #
> > #
> > #
> > #
> >  
> >  
> >  
> > ADMIN ALL = (SYSADMIN) ALL, !SHELLS, !COMMANDS
> >  
> >  
> > # Uncomment to allow people in group wheel to run all commands
> >
> >
> >
> >
> >
> > Could anyone advise if there is any way users (except for john) can do
> > harm to my machine ??
> >
> >
> >   
> Beside root and john being all powerfull, you are giving amol and nimmi 
> permission to act as each other.
> >   

So I can avoid this by giving it seperately I guess -

ADMIN (or only amol ??) ALL = (amol) ALL, !SHELLS, !COMMANDS

& 

ADMIN (or only nimmi ??) ALL = (nimmi) ALL, !SHELLS, !COMMANDS


> >
> > I also haven't understood the exact difference between the statements 
> >
> > root ALL = (ALL) ALL and john ALL = (ALL) ALL
> >
> > Having read through the general sudo documetation available, I
> > understand john will be able to on ALL hosts as ANY USER (sudo -u) run
> > ALL commands.
> >
> >   
> Correct.
> > So the root statement would most likely mean if the root user did sudo
> > foo, he will be able to do so. But since the root user has full
> > previleges, why use sudo in the first place ? 
> >
> >   
> Logging.
Could you expand little on this ? Also, I'm pasting some material I read
in one of the tutiorials -



" bob, bunny ALL = (ALL) ALL

This is generally not a good idea because this allows bob and bunny to
use the su command to grant themselves permanent root privileges thereby
bypassing the command logging features of sudo. The example on using
aliases in the sudoers file shows how to eliminate this problem. "


What does this statement mean ? How can bob and bunny use the su command
without knowing the su password ? 



> > Another version I read was that giving root ALL = (ALL) ALL means once a
> > user like john (john ALL = (ALL) ALL) gets access to commands, he is
> > again restricted if the commands for root become something like 
> > root ALL = (ALL) /bin/
So I'm taking it this version is completely wrong. 

> >
> > Could you enlighten me on this please ?
> >
> >
> >
> > Best Wishes,
> >
> > Tushar.
> >
> >
> >
> >
> >
> > ____________________________________________________________ 
> > sudo-users mailing list <sudo-users at sudo.ws>
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
> >

More information about the sudo-users mailing list