[sudo-users] preventing user "bob" from executing sudo at all
Matthew Hannigan
mlh at zip.com.au
Thu Mar 4 01:14:04 EST 2010
On Wed, Mar 03, 2010 at 08:20:37PM +1000, Felipe Alvarez wrote:
> > The best way to prevent a user from ever having any
> > permissions to sudo
> > anything is to just to never put the user in the file,
> > and avoid putting him in any groups which are
> > enabled for any operations.
>
> Thank you for all the replies
> Bob doesn't exist, so he hasn't done anything wrong.
Yes, I knew that; just joking along.
See http://en.wikipedia.org/wiki/Alice_and_Bob
> I'm working on a
> security project, and need to secure the server from local accounts,
> not only Web/PHP/SQL attacks, but shell access, too. I need to lock
> down the account as much as possible.
> Is there a way to stop "sudo -s" or "sudo -i"
> Does sudoers prevent _everyone_ from using sudo, except for the users
> and the binaries (or scripts, files, executables) that I explicitly
> allow? Does this mean "sudo -s" and/or "sudo -i" are _disabled_ by
> default, until I explicitly enable them?
Correct.
Funny story - waaay back when network file sharing was introduced
as an option on PCs and Macs, I had a (paranoid) user who immediately
when into file sharing options and disabled sharing. Or so he thought.
What he HAD done is actually turn on sharing (by virtue of enabling the
options) and (due to general computer illiteracy) had inadvertantly
given network access to many of his 'secret' files.
Regards,
Matt
More information about the sudo-users
mailing list