| 1 |
hi, |
| 2 |
|
| 3 |
On Sun, Jun 10, 2007 at 09:56:16PM +0200, Krzysztof Kozłowski wrote: |
| 4 |
> Hmmm, this is interesting. |
| 5 |
> |
| 6 |
> So for example I would like to get rid of sudo and replace its behavior with |
| 7 |
> su. How to: |
| 8 |
> 1. log all root commands (some clever "auditallow" rule?); |
| 9 |
|
| 10 |
no clue. I've seen a bashlogger USE flag that might do some logging for bash. |
| 11 |
|
| 12 |
> 2. do not need to know root password; |
| 13 |
|
| 14 |
I said "not keep in mind" and not "not need to know" ;) |
| 15 |
|
| 16 |
let's say you have the root password in a gpg encrypted file. same as the newrole password. |
| 17 |
you can have now an expect script that would do the following: |
| 18 |
- login to the remote server (ssh-agent also needed) |
| 19 |
- feed the passwords to newrole and sudo (gpg-agent needed) |
| 20 |
- run an optional command |
| 21 |
- become interactive |
| 22 |
|
| 23 |
my scripts are not exactly public-worty, but I guess you got the point. |
| 24 |
|
| 25 |
bye, |
| 26 |
peter |
| 27 |
|
| 28 |
> Petre Rodan wrote: |
| 29 |
> >> For example - I have to edit /etc/fstab. So I have two choices: |
| 30 |
> >> $ newrole -r sysadm |
| 31 |
> >> $ su - |
| 32 |
> >> # vi /etc/fstab |
| 33 |
> >> (or "$ su - -c 'vi /etc/fstab'") |
| 34 |
> >> or |
| 35 |
> >> $ newrole -r sysadm // or something else |
| 36 |
> >> $ sudo vi /etc/fstab |
| 37 |
> >> |
| 38 |
> >> And the first choice is better from security point of view? |
| 39 |
> > |
| 40 |
> > IMHO, yes. |
| 41 |
> |
| 42 |
> |
| 43 |
> -- |
| 44 |
> Krzysztof Kozłowski |
| 45 |
> http://www.kozik.net.pl |
| 46 |
> |
| 47 |
> |
| 48 |
> -- |
| 49 |
> gentoo-hardened@g.o mailing list |
| 50 |
> |
| 51 |
|
| 52 |
-- |
| 53 |
petre rodan |
| 54 |
<kaiowas@g.o> |
| 55 |
Developer, |
| 56 |
Hardened Gentoo Linux |
Archives