Gentoo Archives: gentoo-security

From: Bill Moritz <ego@××××××××××.com>
To: David Olsen <do@×××××××.com>, gentoo-security@g.o
Cc: gentoo-security-return-547-ego=djalterego.com@g.o
Subject: Re: [gentoo-security] Changes to traceroute in newest release
Date: Tue, 16 Dec 2003 19:06:24
Message-Id: 20031217010450.M46230@djalterego.com
In Reply to: Re: [gentoo-security] Changes to traceroute in newest release by David Olsen
1 > That means I have to either give my staff sudo access to use
2 > traceroute, when I want them to be able to use it to diagnose
3 > network problems. And set up in this same "security mindset", sudo
4 > will require a password upon execution.
5
6 Not necessarily so. You can have sudo not request a password by using
7 NOPASSWD in the sudoers file.
8
9 > A (imho) better solution would be to perhaps do a 4750 by default,
10 > and give it to a specific group, say "staff" or the like, this way I
11 > can add my staff to that particular group once, and not have to muck
12 > permissions everytime a new release of traceroute comes out.
13
14 Being paranoid about my machine and giving out shell access to various users
15 I restricted my traceroute/ping/nmap access. Here is my sudoers:
16
17 Cmnd_Alias NMAP=/usr/bin/nmap
18 Cmnd_Alias TR=/usr/sbin/traceroute
19 Cmnd_Alias PNG=/bin/ping
20 Cmnd_Alias TRPNG=/usr/sbin/traceroute,/bin/ping
21
22 root ALL=(ALL) ALL
23 user1 ALL=(ALL) ALL
24 user2 ALL=(ALL) ALL
25 user3 ALL=(ALL) ALL
26 user4 ALL=NMAP,TRPNG
27 user5 ALL=NMAP,TRPNG
28 user6 ALL=NMAP,TRPNG
29
30 I require my users to put in thier passwords because I can't stop them from
31 walking away from thier terminals unattended. If you wanted it so that they
32 would not get prompted for thier passwords you could put:
33
34 user4 ALL= NOPASSWD: NMAP,TRPNG
35
36 I personally like sudo because it makes people accountable for thier
37 actions.
38
39 > $.02 + $.02 makes $.04, I should get an old top hat to collect the
40 change..
41 >
42 > -d
43
44 Does that make $.06?
45
46 -bill
47
48
49 --
50 gentoo-security@g.o mailing list