Hey.

I'm running a system that recently I started sharing with my roomies. I'd like to give them sudoer powers, so they can actually do things (i'm running Mint 5) but I'd also like to keep them from getting into some of my stuff in ( '/home/USER/foo' for instance ). Is there a way where I can protect certain directory trees from the sudoer list?

Thanks.

Huh - that's like asking god to just go away.

You can try setting up SELinux, but the best thing to do is to not give people super user access. I really can't imagine why anyone would need root access except for the sysadmin.

Besides, 'sudo' is evil incarnate because if those people have poor passwords, share passwords or whatever, if someone gets into their account they have instant root access with absolutely no effort - they don't even have to guess the root password because sudo doesn't care about that.

@ Pinniped: you're assuming that you give the other users global superuser privileges through sudo, but you don't have to do that. Some distros enter user ALL=(ALL) ALL, but you can use sudo much more surgically to give regular users on a shared system some powers, but not others. For example, I use this setup to let my regular user (me) shutdown, reboot and fiddle with the internet configuration without a password at all: Obviously, I have reason to trust myself, but I could force the user to give a password or limit the commands even more. Sudo itself isn't evil; like anything else, some people misuse it.

@ Ktek: First, think about your sentence "I'd like to give them sudoer powers, so they can actually do things." Regular users already can do plenty without root privileges - in fact, they can do nearly everything they need to do. What exactly do you want for them that they can't get at now? After you figure out the things you want to open up for them, read through man sudoers carefully to see how you can give some but not all privileges to users.

I agree with pinniped. First, I don't think there is a way under the sun to make root not being root. Second, it's simply a wrong approach - you should create a new group instead, say "powerusers", and give them the exact permissions you want them to have.

You don't understand: sudo can do exactly what you just asked for with your powerusers group. The way that Ubuntu uses sudo is not the only way to use it. You can use sudo to give specific, limited powers. Entering someone on the sudoers list does not necessarily make them root.

Edit - if you look at my sudoers file above, you will see that the user telemachus has some privileges (reboot, shutdown, etc.), but he isn't root. He can't edit /etc/apt/sources.list, he can't delete all the binaries in /bin, etc. Read man sudoers.

Thanks for pointing out that 'sudo' doesn't mean absolute root access. However, on most machines I still wouldn't give people rights to fiddle with the network or shut down the computer. I guess if you want the computer shut down after someone uses it you could give them such a privilege but I never trust people not to do something like a remote reboot or shutdown. Well, it's a (mostly) free world and people can do as they please with their own computers.

I completely agree. The user in this case is me, so I trust him. I wanted to show that sudo isn't all or nothing. You can choose any set of commands, specify one user or a group, and you can also control what password they use to get the privileges (their user password or a root password or a distinct user password, etc.). The example was just a random example, since I had it handy on this machine.

Bottom line for me: sudo is far more powerful than people imagine.

If you choose to let them edit things make sure you only give them a restricted editor otherwise they'll just be able to shell out and do whatever anyway.

@ Pinniped and JosipBroz: I know, root is root. I wasn't asking how to limit root. I was asking about sudo.

I also know that sudo has potential for flagrant abuse. However it's the way my distro is configured, and I'm still too new at this to really know how to effectively personalize my system. I don't think I'll be sticking with mint long enough to really justify deep personalization anyway. It's a rebound distro after battling to install gentoo for a few days, >.< (I learned a lot during that ordeal, including that gentoo users are liars :P "it's really not all that difficult to set up, you just have to read the manual...") and it's on the way out for me.


@ telemachos: Thanks for the tips.

@ estabroo: Where could I read more about shell/editors?

Nah, gentoo is easy - the best doco. No arguments.
Have you thought of chroot jails for your "friends" ???.

ktek take a look at rvi and rvim, essentially just vi/vim with restrictions like no shell escapes, you also might want to look at rbash which lets you put further restrictions on what can be done in a shell.

As per the last para of post #3, what do they NEED to do that they can't do anyway. Do you really need to give them sudo (of any cmd)?. It seems unlikely.

I think actually, that Telemachos answered all my sudo questions.

Anyway, regarding gentoo, I agree that they are excellent documents. It's just that earnest desire to get it started, and obsessive adhesion step by step is apparently not sufficient to conquer the deep and ancient evil of gentoo installation. XD