Gentoo Archives: gentoo-security

From: Bill Moritz <ego@××××××××××.com>
To: David Olsen <do@×××××××.com>, gentoo-security@g.o
Subject: Re: [gentoo-security] Changes to traceroute in newest release
Date: Tue, 16 Dec 2003 19:06:24
In Reply to: Re: [gentoo-security] Changes to traceroute in newest release by David Olsen
> That means I have to either give my staff sudo access to use > traceroute, when I want them to be able to use it to diagnose > network problems. And set up in this same "security mindset", sudo > will require a password upon execution.
Not necessarily so. You can have sudo not request a password by using NOPASSWD in the sudoers file.
> A (imho) better solution would be to perhaps do a 4750 by default, > and give it to a specific group, say "staff" or the like, this way I > can add my staff to that particular group once, and not have to muck > permissions everytime a new release of traceroute comes out.
Being paranoid about my machine and giving out shell access to various users I restricted my traceroute/ping/nmap access. Here is my sudoers: Cmnd_Alias NMAP=/usr/bin/nmap Cmnd_Alias TR=/usr/sbin/traceroute Cmnd_Alias PNG=/bin/ping Cmnd_Alias TRPNG=/usr/sbin/traceroute,/bin/ping root ALL=(ALL) ALL user1 ALL=(ALL) ALL user2 ALL=(ALL) ALL user3 ALL=(ALL) ALL user4 ALL=NMAP,TRPNG user5 ALL=NMAP,TRPNG user6 ALL=NMAP,TRPNG I require my users to put in thier passwords because I can't stop them from walking away from thier terminals unattended. If you wanted it so that they would not get prompted for thier passwords you could put: user4 ALL= NOPASSWD: NMAP,TRPNG I personally like sudo because it makes people accountable for thier actions.
> $.02 + $.02 makes $.04, I should get an old top hat to collect the
> > -d
Does that make $.06? -bill -- gentoo-security@g.o mailing list