trying to understand 'sudoers' and its potential pitfalls
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
trying to understand 'sudoers' and its potential pitfalls
hello there, im newbie trying to understand how to use the sudoers file.
so while im reading the manual i wonder about the use of Runas_Alias..
it says in the examples of the manual:
Runas_Alias OP = root, operator
and further down in the user specification section:
SO:
what it says basically is that 'runas_alias' for users 'root' and 'operator' is the word OP (pretty obvious OK).
and then,
the user 'operator' is allowed in all machines to (run as 'root'?) the commands 'DUMPS,KILL, etcetc'.
and finally my question is WHAT can 'bob' do exactly?
he can log onto SPARC and SGI, not with his name but with either sudo -u 'root' or 'operator'? well why is that better than enabling bob himself to log on the machines with his own name. Also what name
will be logged in the logs bob or one of root,operator? If its bob then what is the point of having the runas_alias command? If on the other hand it is operator, then shouldnt bob ONLY be allowed to run the commands that the operator is allowed to run? ie what is the point of 'ALL' (addressed to commands) in
bob SPARC = (OP) ALL : SGI = (OP) ALL
and to mess things up even more in my head since OP includes root who has the right to do everything what is the point of having operator as a runas_alias too?
another example again from the manual of sudoers
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
so here basically the users of webmasters user_alias, are allowed to run on machine 'www' all commands as users (www) ? or as users WEBMASTERS and what good does it do to run 'su' as root???
Very confused!
please help
thank you in advance
nass
Sudo can be more secure and is not as almighty as root.
It's also meant to be configured for your needs(you also don't need to give it to all users). As far as I now it's not even possible to give sudo the same power as root(sudo can only execute one command at the same time).
Unless 'bob' is the sys admin(in this case, sudo can still be used as a more secure way to act as root) he shouldn't have any acces to the root system. Making 'bob' a sudo user (in case you have a good reason to give this much acces) is just less insecure than making him use root.
I don't really understand what you're asking in your last example:
Quote:
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
so here basically the users of webmasters user_alias, are allowed to run on machine 'www' all commands as users (www) ? or as users WEBMASTERS and what good does it do to run 'su' as root???
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.