SUDO

Mertens, Bram mertensb at mazdaeur.com
Mon Jun 29 14:16:52 UTC 2009 

I'd like to elaborate on this a bit.

The intention of sudo is to allow specific users to execute specific
commands while keeping the root account locked down.  In addition sudo
provides a trace of which user executed which command in /var/log/secure
that can be used for auditing.

The sudoers file should allow as little as possible to as few users as
possible!

If you allow users to execute sudo su - with or without having to enter
the root password you gain nothing.  While working as root no actions
are logged and all log files can be edited to remove any trace of
"illegal" actions.

The same applies for sudo bash, this will grant the user full shell
access without logging.

Another example is sudo vi(m): from within vi the user can execute any
command without any kind of logging.

As for reading the log files: have a look at ACLs, configuring that
allows you to grant read access to log files to a specific user or group
of users.

Kind regards

Bram

> 


Mazda Motor Logistics Europe NV, Blaasveldstraat 162, B-2830 Willebroek
VAT BE 0406.024.281, RPR Mechelen, ING  310-0092504-52, IBAN : BE64 3100 0925 0452, SWIFT : BBRUBEBB

-----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Marti, Rob
> Sent: maandag 22 juni 2009 21:01
> To: General Red Hat Linux discussion list
> Subject: RE: SUDO
> 
> IME it may be a "real pain" to sudo view every log, but for any time
> you need accountability, you should either sudo view all logs, or
> change who owns log files (IE create a log group and give group read
> access to them).  Once you switch to root there's no "reliable"
logging
> of whats going on.
> 
> Allowing sudo su - (implied root) is a bad idea, imo.
> 
> Rob Marti
> ________________________________________
> From: redhat-list-bounces at redhat.com [redhat-list-bounces at redhat.com]
> On Behalf Of mark [m.roth2006 at rcn.com]
> Sent: Monday, June 22, 2009 13:27
> To: General Red Hat Linux discussion list
> Subject: Re: SUDO
> 
> Hike wrote:
> > Why?
> >
> > If the user knows the root password, there is no need.
> 
> Ok, let me explain further. We're not talking home systems, we're
> talking
> corporate. And no, *not* everyone knows the root password. In fact,
> using sudo
> su - means they do not have to know it.
> >
> > If sudo is cofigured correctly, there is no need to "su - root"
since
> > the user can already run the needed commands.
> 
> That depends. Some users - presumably admins - can be configured to
> allowed to
> run only certain commands. Others may need less limited use, and it
can
> be a
> lot easier if they can get to root; for example, when I'm going to
look
> at
> logs, and only root can read them, or even look in some directories
> under
> /var/log, it's a *real* pain to sudo view every single log.
> >
> > "man sodu" should explain how to configure sudo and the locatio of
> the
> > configuration file.
> >
> > Did you stop to think that you might not be permitted to do this
with
> > sudo or that the "sudo su - root" may need to be defined in the
> > configuatio file or that the entire su command mat need to be
quoted,
> > etc. So that sudo would understsnd?
> 
> The original poster did say they thought they'd configured it
> correctly,
> implying - this may not be the case - that they did have access to do
> this.
> 
>         mark
> >
> > On Jun 22, 2009, at 1:27 PM, Matias Nicolas
> <matiasnicolas at live.co.uk>
> > wrote:
> >
> >>
> >> I know that sudo is for running commands with root privileges but
> this
> >> idea is about typing "sudo su -" and use one's password and not
> root's.
> >>
> >>
> >>
> >> That's all...
> >>
> >>> Date: Mon, 22 Jun 2009 12:14:41 -0500
> >>> From: m.roth2006 at rcn.com
> >>> To: redhat-list at redhat.com
> >>> Subject: Re: SUDO
> >>>
> >>> Hike wrote:
> >>>> If you have the root password, try the following.
> >>>>
> >>>> $ su - root
> >>>>
> >>>> When prompted, enter the root password.
> >>>>
> >>>> sudo is to permit regular users to run priviledged commands. What
> you
> >>>> are trying td is overly complex and redundant.
> >>>>
> >>> Not necessarily. A lot of places want more security, and locking
> down
> >>> root.
> >>>
> >>> mark
> >>>
> >>> --
> >>> redhat-list mailing list
> >>> unsubscribe mailto:redhat-list-
> request at redhat.com?subject=unsubscribe
> >>> https://www.redhat.com/mailman/listinfo/redhat-list
> >>
> >> _________________________________________________________________
> >> Show them the way! Add maps and directions to your party invites.
> >> http://www.microsoft.com/windows/windowslive/products/events.aspx--
> >> redhat-list mailing list
> >> unsubscribe mailto:redhat-list-
> request at redhat.com?subject=unsubscribe
> >> https://www.redhat.com/mailman/listinfo/redhat-list
> >
> 
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list