1 |
hi, |
2 |
|
3 |
On Sun, Jun 10, 2007 at 09:56:16PM +0200, Krzysztof Kozłowski wrote: |
4 |
> Hmmm, this is interesting. |
5 |
> |
6 |
> So for example I would like to get rid of sudo and replace its behavior with |
7 |
> su. How to: |
8 |
> 1. log all root commands (some clever "auditallow" rule?); |
9 |
|
10 |
no clue. I've seen a bashlogger USE flag that might do some logging for bash. |
11 |
|
12 |
> 2. do not need to know root password; |
13 |
|
14 |
I said "not keep in mind" and not "not need to know" ;) |
15 |
|
16 |
let's say you have the root password in a gpg encrypted file. same as the newrole password. |
17 |
you can have now an expect script that would do the following: |
18 |
- login to the remote server (ssh-agent also needed) |
19 |
- feed the passwords to newrole and sudo (gpg-agent needed) |
20 |
- run an optional command |
21 |
- become interactive |
22 |
|
23 |
my scripts are not exactly public-worty, but I guess you got the point. |
24 |
|
25 |
bye, |
26 |
peter |
27 |
|
28 |
> Petre Rodan wrote: |
29 |
> >> For example - I have to edit /etc/fstab. So I have two choices: |
30 |
> >> $ newrole -r sysadm |
31 |
> >> $ su - |
32 |
> >> # vi /etc/fstab |
33 |
> >> (or "$ su - -c 'vi /etc/fstab'") |
34 |
> >> or |
35 |
> >> $ newrole -r sysadm // or something else |
36 |
> >> $ sudo vi /etc/fstab |
37 |
> >> |
38 |
> >> And the first choice is better from security point of view? |
39 |
> > |
40 |
> > IMHO, yes. |
41 |
> |
42 |
> |
43 |
> -- |
44 |
> Krzysztof Kozłowski |
45 |
> http://www.kozik.net.pl |
46 |
> |
47 |
> |
48 |
> -- |
49 |
> gentoo-hardened@g.o mailing list |
50 |
> |
51 |
|
52 |
-- |
53 |
petre rodan |
54 |
<kaiowas@g.o> |
55 |
Developer, |
56 |
Hardened Gentoo Linux |