Results 1 to 5 of 5

Thread: sudoers configuration file .........

  1. #1
    Junior Member
    Join Date
    Nov 2005
    Posts
    3

    sudoers configuration file .........

    Hi,

    I'm somewhat new to linux, but not in desktop usage sense. Just the security side
    I'm new at, I've only be using linux seriously for about a month. I was configuring sudoers
    configuration file last night and was wondering if I didn't make any novice syntax errors,
    misconfiguration mistakes, and security problems ......

    I read the man and somewhat figure it out,
    but just checking. I did also configure syslog
    to but I don't want to ask to much for my first post, nor be to insertive.

    The following below is the configuration file for sudoers:

    # sudoers configufile.

    Defaults syslog=auth,authpriv,user,daemon

    Defaults>root !set_logname

    Defaults mail_badpass, mailsub ** BAD AUTHENICATION: %U %h **

    Defaults mail_no_user, mailsub ** USER NOT IN SUDOERS: %U %h **

    Defaults mail_perms, mailsub ** SUDO PERMISSION ABUSE: %U %h **

    Defaults log_year, log_host, logfile=/var/log/sudo

    Defauls badpass_message YOU ARE BEING LOGGED !! \
    ..... (*mumbles* as soon as I figure out how this darn thing works)

    Defaults noexec

    Defaults verifypw=any

    root ALL = (ALL) ALL
    id ALL = ALL, !/usr/bin/passwd

  2. #2
    Junior Member
    Join Date
    Nov 2005
    Posts
    3
    Hi , :0

    (*watching tumble weed roll by*)
    Hi did I get the syntax right atleast ?

  3. #3
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    "Defaults syslog=auth,authpriv,user,daemon"

    Why so many facilities? authpriv would be sufficient

    "defaults noexec"
    Not even sure how this would work. Usually you use NOEXEC as a tag for a command to prevent shell spawning, like NOEXEC: /usr/bin/vi
    Not sure what it'll will say without a command, but it probably wont be good.


    "Defaults verifypw=any"
    not doing much for you.


    "id ALL = ALL, !/usr/bin/passwd"

    Its useless to use ALL then try to subtract stuff. One could easily "sudo bash" then "passwd" or "sudo vi" and escape to shell then "passwd" etc,etc.

    Its all in the man page.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  4. #4
    Junior Member
    Join Date
    Nov 2005
    Posts
    3
    Alright I change the lines ...

    Defaults syslog=auth,authpriv,user,daemon
    id ALL = ALL, !/usr/bin/passwd

    To ....
    Defaults syslog=authpriv
    id ALL=ALL

    I just decide to give id full root rights, I think that having to authenicate to sudo a enough.
    But I'm new I problemly wrong.

    I'v also completely remove the line .....
    Defaults verifypw=any
    Defaults noexec

    When I give other users roots rights I'll make sure that there limited number of commands and that the
    specific commands have the NOEXEC.

    Could you also disable a users ability with sudo with limited root commands to transcend into directories I don't
    want them messing with.

  5. #5
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    Try this its a pretty good guide http://www.linuxhelp.net/guides/sudo/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •