sudo question
Brendan
brendan at eb-net.net
Sat Jun 11 23:26:46 UTC 2005
># User privilege specification
>root ALL=(ALL) ALL
>jim ALL=(ALL) ALL
>Defaults logfile=/var/log/sudolog
>
>
>
Probably better to just give jim rights to specific commands here
instead of ALL.
>So Jim as root access, but I found Jim can modify the
>log file /var/log/sudolog as well using sudo. How to
>prevent it from change the log file?
>
>
if you are worried about that then jim's user account shouldn't be
mentioned in the sudoers file. you can fix the problem by not giving
jim an ALL.
>Question 2. I saw the following article, don't you
>feel it is stupid configuration. If Jim need to know
>root password to use sudo why not let he su to root
>
jim doesn't need root's password to run sudo, he just needs jim's
password. jim needs root's password to run su ... unless he has the
nifty NOPASSWORD clause in the sudoers file, and in that case he can
just sudo su - and become root.
># Defaults specification
>Defaults:jim timestamp_timeout=0, runaspw,
>passwd_tries=1
>
>This changes three things. First, "jim" needs root's
>password to run sudo (because of "runaspw"). Second,
>the password will not be remembered
>(timestamp_timeout), and he gets only one chance to
>enter it (the default is three tries).
>
>
>
You might want to check out the man pages for su, sudo and sudoers
before you grant jim any sudoer access.
http://www.courtesan.com/sudo/man/sudoers.html
http://www.courtesan.com/sudo/man/sudo.html
http://www.rt.com/man/su.1.html
More information about the fedora-list
mailing list