LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-28-2006, 06:07 AM   #1
nass
Member
 
Registered: Apr 2006
Location: Athens, Greece
Distribution: slack(64|32)_v(13.37|14.0), debian6, ubuntu
Posts: 630

Rep: Reputation: 36
trying to understand 'sudoers' and its potential pitfalls


hello there, im newbie trying to understand how to use the sudoers file.
so while im reading the manual i wonder about the use of Runas_Alias..
it says in the examples of the manual:

Runas_Alias OP = root, operator

and further down in the user specification section:

operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/

and yet again later on:

bob SPARC = (OP) ALL : SGI = (OP) ALL

SO:
what it says basically is that 'runas_alias' for users 'root' and 'operator' is the word OP (pretty obvious OK).
and then,
the user 'operator' is allowed in all machines to (run as 'root'?) the commands 'DUMPS,KILL, etcetc'.
and finally my question is WHAT can 'bob' do exactly?

he can log onto SPARC and SGI, not with his name but with either sudo -u 'root' or 'operator'? well why is that better than enabling bob himself to log on the machines with his own name. Also what name
will be logged in the logs bob or one of root,operator? If its bob then what is the point of having the runas_alias command? If on the other hand it is operator, then shouldnt bob ONLY be allowed to run the commands that the operator is allowed to run? ie what is the point of 'ALL' (addressed to commands) in
bob SPARC = (OP) ALL : SGI = (OP) ALL
and to mess things up even more in my head since OP includes root who has the right to do everything what is the point of having operator as a runas_alias too?

another example again from the manual of sudoers

WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
so here basically the users of webmasters user_alias, are allowed to run on machine 'www' all commands as users (www) ? or as users WEBMASTERS and what good does it do to run 'su' as root???

Very confused!
please help
thank you in advance
nass
 
Old 04-28-2006, 11:56 PM   #2
jens
Senior Member
 
Registered: May 2004
Location: Belgium
Distribution: Debian, Slackware, Fedora
Posts: 1,190

Rep: Reputation: 159Reputation: 159
Sudo can be more secure and is not as almighty as root.
It's also meant to be configured for your needs(you also don't need to give it to all users). As far as I now it's not even possible to give sudo the same power as root(sudo can only execute one command at the same time).
Unless 'bob' is the sys admin(in this case, sudo can still be used as a more secure way to act as root) he shouldn't have any acces to the root system. Making 'bob' a sudo user (in case you have a good reason to give this much acces) is just less insecure than making him use root.

I don't really understand what you're asking in your last example:
Quote:
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
so here basically the users of webmasters user_alias, are allowed to run on machine 'www' all commands as users (www) ? or as users WEBMASTERS and what good does it do to run 'su' as root???

Last edited by jens; 04-29-2006 at 12:24 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables; ACK/SYN/etc; understand the bits, and potential firewall entries TheLinuxDuck Linux - Security 2 10-18-2011 09:17 PM
As of Kernel 2.6 Pitfalls & Work arounds NightSky Slackware 1 01-03-2006 10:49 AM
I deleted /etc/sudoers and creates a new file call sudoers but now it doesnt for visu abefroman Linux - Software 1 11-10-2005 05:03 PM
Avoiding pitfalls... tracedroute Slackware - Installation 6 05-09-2004 04:54 PM
Which version? Pitfalls? Advice? frizzo Linux - Laptop and Netbook 2 01-22-2004 08:57 AM


All times are GMT -5. The time now is 07:36 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration