> That means I have to either give my staff sudo access to use 
> traceroute, when I want them to be able to use it to diagnose 
> network problems. And set up in this same "security mindset", sudo 
> will require a password upon execution. 

Not necessarily so.  You can have sudo not request a password by using 
NOPASSWD in the sudoers file. 

> A (imho) better solution would be to perhaps do a 4750 by default, 
> and give it to a specific group, say "staff" or the like, this way I 
> can add my staff to that particular group once, and not have to muck 
> permissions everytime a new release of traceroute comes out. 

Being paranoid about my machine and giving out shell access to various users 
I restricted my traceroute/ping/nmap access.  Here is my sudoers: 

Cmnd_Alias      NMAP=/usr/bin/nmap 
Cmnd_Alias      TR=/usr/sbin/traceroute 
Cmnd_Alias      PNG=/bin/ping 
Cmnd_Alias      TRPNG=/usr/sbin/traceroute,/bin/ping 

root            ALL=(ALL) ALL 
user1           ALL=(ALL) ALL 
user2           ALL=(ALL) ALL 
user3           ALL=(ALL) ALL 
user4           ALL=NMAP,TRPNG 
user5           ALL=NMAP,TRPNG 
user6           ALL=NMAP,TRPNG 

I require my users to put in thier passwords because I can't stop them from 
walking away from thier terminals unattended.  If you wanted it so that they 
would not get prompted for thier passwords you could put: 

user4           ALL= NOPASSWD: NMAP,TRPNG 

I personally like sudo because it makes people accountable for thier 
actions. 

> $.02 + $.02 makes $.04, I should get an old top hat to collect the 
change.. 
> 
> -d 

Does that make $.06? 

-bill 


--
gentoo-security@g.o mailing list