On Thu, Dec 09, 2004 at 12:38:47PM -0600, John T. Hoffoss wrote: > # visudo > or > $ sudo visudo > > Combined with > ? man visudo > > WRT to locking sudo down, I'd give you a better answer, but I myself > haven't delved into using the language used in /etc/sudoers. But from > the security side of things, root should not be allowed to run sudo, > else you can chain sudo commands to get a root shell (a la 'sudo sudo > /bin/bash'). You can (and should) also disable su from execution, else > you can just 'sudo su'. I'm sure there's much more, and I know enough > to say you can get more granular. Denying 'sudo passwd' would be a > good one to deny, as well... Well, you're partially right :) In sudoers, you can give a user all root access, or access to a list of applications, or use deny to give access to everything except for certain apps. The deny route doesn't work - becasue it's trivial to get around. So, you end up making a list of apps that a user (or group of users) can use. Umm, you have to be very careful what you give your users access to. For instance, if users have access to vi, they can easily run shell commands. Sudo has it's place, but it can hurt your security as much as it can help if you're not extremely careful. Especially since now all of the sudden user passwords (which are never trustworthy), have root access! I have found good uses for it where people need root for something, being able to just give them access to one thing is nice. Often i'll give sudo access to a short wrapper script that'll do a very specific task. HTH, dan _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota Help beta test TCLUG's potential new home: http://plone.mn-linux.org Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list