[sudo-users] Secure sudoers

Mark Janssen maniac.nl at gmail.com
Tue May 17 05:02:28 EDT 2011


On Tue, May 17, 2011 at 10:27 AM, Moisés Barba Pérez
<mbarperoi at gmail.com> wrote:
> Hi,
>
> Yes, you are right, but if an user has sudo permission as root then he can
> edit soduers: "sudo visudo" for example. I would like to avoid edition of
> sudoers file with sudo, only the real user root can modify sudoers.
>
> Suggestions?

impossible... if people have root, they can do everything...

Just make sure they don't get a root shell or editor rights.
You could limit exposure using SELinux, or keep your sudo config in
LDAP. But that's just moving the problem.

Also... monitor changes in the sudo config (tripwire)

-- 
Mark Janssen  --  maniac(at)maniac.nl  --  pgp: 0x
Unix / Linux Open-Source and Internet Consultant
Maniac.nl Sig-IO.nl Vps.Stoned-IT.com



More information about the sudo-users mailing list