1 |
> That means I have to either give my staff sudo access to use |
2 |
> traceroute, when I want them to be able to use it to diagnose |
3 |
> network problems. And set up in this same "security mindset", sudo |
4 |
> will require a password upon execution. |
5 |
|
6 |
Not necessarily so. You can have sudo not request a password by using |
7 |
NOPASSWD in the sudoers file. |
8 |
|
9 |
> A (imho) better solution would be to perhaps do a 4750 by default, |
10 |
> and give it to a specific group, say "staff" or the like, this way I |
11 |
> can add my staff to that particular group once, and not have to muck |
12 |
> permissions everytime a new release of traceroute comes out. |
13 |
|
14 |
Being paranoid about my machine and giving out shell access to various users |
15 |
I restricted my traceroute/ping/nmap access. Here is my sudoers: |
16 |
|
17 |
Cmnd_Alias NMAP=/usr/bin/nmap |
18 |
Cmnd_Alias TR=/usr/sbin/traceroute |
19 |
Cmnd_Alias PNG=/bin/ping |
20 |
Cmnd_Alias TRPNG=/usr/sbin/traceroute,/bin/ping |
21 |
|
22 |
root ALL=(ALL) ALL |
23 |
user1 ALL=(ALL) ALL |
24 |
user2 ALL=(ALL) ALL |
25 |
user3 ALL=(ALL) ALL |
26 |
user4 ALL=NMAP,TRPNG |
27 |
user5 ALL=NMAP,TRPNG |
28 |
user6 ALL=NMAP,TRPNG |
29 |
|
30 |
I require my users to put in thier passwords because I can't stop them from |
31 |
walking away from thier terminals unattended. If you wanted it so that they |
32 |
would not get prompted for thier passwords you could put: |
33 |
|
34 |
user4 ALL= NOPASSWD: NMAP,TRPNG |
35 |
|
36 |
I personally like sudo because it makes people accountable for thier |
37 |
actions. |
38 |
|
39 |
> $.02 + $.02 makes $.04, I should get an old top hat to collect the |
40 |
change.. |
41 |
> |
42 |
> -d |
43 |
|
44 |
Does that make $.06? |
45 |
|
46 |
-bill |
47 |
|
48 |
|
49 |
-- |
50 |
gentoo-security@g.o mailing list |