|
trying to understand 'sudoers' and its potential pitfalls
hello there, im newbie trying to understand how to use the sudoers file.
so while im reading the manual i wonder about the use of Runas_Alias..
it says in the examples of the manual:
Runas_Alias OP = root, operator
and further down in the user specification section:
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/
and yet again later on:
bob SPARC = (OP) ALL : SGI = (OP) ALL
SO:
what it says basically is that 'runas_alias' for users 'root' and 'operator' is the word OP (pretty obvious OK).
and then,
the user 'operator' is allowed in all machines to (run as 'root'?) the commands 'DUMPS,KILL, etcetc'.
and finally my question is WHAT can 'bob' do exactly?
he can log onto SPARC and SGI, not with his name but with either sudo -u 'root' or 'operator'? well why is that better than enabling bob himself to log on the machines with his own name. Also what name
will be logged in the logs bob or one of root,operator? If its bob then what is the point of having the runas_alias command? If on the other hand it is operator, then shouldnt bob ONLY be allowed to run the commands that the operator is allowed to run? ie what is the point of 'ALL' (addressed to commands) in
bob SPARC = (OP) ALL : SGI = (OP) ALL
and to mess things up even more in my head since OP includes root who has the right to do everything what is the point of having operator as a runas_alias too?
another example again from the manual of sudoers
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
so here basically the users of webmasters user_alias, are allowed to run on machine 'www' all commands as users (www) ? or as users WEBMASTERS and what good does it do to run 'su' as root???
Very confused!
please help
thank you in advance
nass
|
