sudoers configuration file .........

Printable View

November 28th, 2005, 10:30 PM
netWORDKED

sudoers configuration file .........

Hi, :D

I'm somewhat new to linux, but not in desktop usage sense. Just the security side
I'm new at, I've only be using linux seriously for about a month. I was configuring sudoers
configuration file last night and was wondering if I didn't make any novice syntax errors,
misconfiguration mistakes, and security problems ...... :confused:

I read the man and somewhat figure it out,
but just checking. I did also configure syslog
to but I don't want to ask to much for my first post, nor be to insertive.

The following below is the configuration file for sudoers:

# sudoers configufile.

Defaults syslog=auth,authpriv,user,daemon

Defaults>root !set_logname

Defaults mail_badpass, mailsub ** BAD AUTHENICATION: %U %h **

Defaults mail_no_user, mailsub ** USER NOT IN SUDOERS: %U %h **

Defaults mail_perms, mailsub ** SUDO PERMISSION ABUSE: %U %h **

Defaults log_year, log_host, logfile=/var/log/sudo

Defauls badpass_message YOU ARE BEING LOGGED !! \
..... (*mumbles* as soon as I figure out how this darn thing works)

Defaults noexec

Defaults verifypw=any

root ALL = (ALL) ALL
id ALL = ALL, !/usr/bin/passwd
November 29th, 2005, 12:46 AM
netWORDKED

Hi , :0

(*watching tumble weed roll by*)
Hi did I get the syntax right atleast ?
November 29th, 2005, 05:09 AM
Maestr0

"Defaults syslog=auth,authpriv,user,daemon"

Why so many facilities? authpriv would be sufficient

"defaults noexec"
Not even sure how this would work. Usually you use NOEXEC as a tag for a command to prevent shell spawning, like NOEXEC: /usr/bin/vi
Not sure what it'll will say without a command, but it probably wont be good.

"Defaults verifypw=any"
not doing much for you.

"id ALL = ALL, !/usr/bin/passwd"

Its useless to use ALL then try to subtract stuff. One could easily "sudo bash" then "passwd" or "sudo vi" and escape to shell then "passwd" etc,etc.

Its all in the man page.

-Maestr0
November 29th, 2005, 05:46 AM
netWORDKED

Alright I change the lines ...

Defaults syslog=auth,authpriv,user,daemon
id ALL = ALL, !/usr/bin/passwd

To ....
Defaults syslog=authpriv
id ALL=ALL

I just decide to give id full root rights, I think that having to authenicate to sudo a enough.
But I'm new I problemly wrong.

I'v also completely remove the line .....
Defaults verifypw=any
Defaults noexec

When I give other users roots rights I'll make sure that there limited number of commands and that the
specific commands have the NOEXEC.

Could you also disable a users ability with sudo with limited root commands to transcend into directories I don't
want them messing with.
November 29th, 2005, 10:40 AM
bAgZ

Try this its a pretty good guide http://www.linuxhelp.net/guides/sudo/