[sudo-users] Secure sudoers
Moisés Barba Pérez
mbarperoi at gmail.com
Tue May 17 05:39:29 EDT 2011
Ok, thank you
Moisés.
2011/5/17 Mark Janssen <maniac.nl at gmail.com>
> On Tue, May 17, 2011 at 10:27 AM, Moisés Barba Pérez
> <mbarperoi at gmail.com> wrote:
> > Hi,
> >
> > Yes, you are right, but if an user has sudo permission as root then he
> can
> > edit soduers: "sudo visudo" for example. I would like to avoid edition of
> > sudoers file with sudo, only the real user root can modify sudoers.
> >
> > Suggestions?
>
> impossible... if people have root, they can do everything...
>
> Just make sure they don't get a root shell or editor rights.
> You could limit exposure using SELinux, or keep your sudo config in
> LDAP. But that's just moving the problem.
>
> Also... monitor changes in the sudo config (tripwire)
>
> --
> Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x
> Unix / Linux Open-Source and Internet Consultant
> Maniac.nl Sig-IO.nl Vps.Stoned-IT.com
>
More information about the sudo-users
mailing list