-
November 28th, 2005, 10:30 PM
#1
Junior Member
sudoers configuration file .........
Hi,
I'm somewhat new to linux, but not in desktop usage sense. Just the security side
I'm new at, I've only be using linux seriously for about a month. I was configuring sudoers
configuration file last night and was wondering if I didn't make any novice syntax errors,
misconfiguration mistakes, and security problems ......
I read the man and somewhat figure it out,
but just checking. I did also configure syslog
to but I don't want to ask to much for my first post, nor be to insertive.
The following below is the configuration file for sudoers:
# sudoers configufile.
Defaults syslog=auth,authpriv,user,daemon
Defaults>root !set_logname
Defaults mail_badpass, mailsub ** BAD AUTHENICATION: %U %h **
Defaults mail_no_user, mailsub ** USER NOT IN SUDOERS: %U %h **
Defaults mail_perms, mailsub ** SUDO PERMISSION ABUSE: %U %h **
Defaults log_year, log_host, logfile=/var/log/sudo
Defauls badpass_message YOU ARE BEING LOGGED !! \
..... (*mumbles* as soon as I figure out how this darn thing works)
Defaults noexec
Defaults verifypw=any
root ALL = (ALL) ALL
id ALL = ALL, !/usr/bin/passwd
-
November 29th, 2005, 12:46 AM
#2
Junior Member
Hi , :0
(*watching tumble weed roll by*)
Hi did I get the syntax right atleast ?
-
November 29th, 2005, 05:09 AM
#3
"Defaults syslog=auth,authpriv,user,daemon"
Why so many facilities? authpriv would be sufficient
"defaults noexec"
Not even sure how this would work. Usually you use NOEXEC as a tag for a command to prevent shell spawning, like NOEXEC: /usr/bin/vi
Not sure what it'll will say without a command, but it probably wont be good.
"Defaults verifypw=any"
not doing much for you.
"id ALL = ALL, !/usr/bin/passwd"
Its useless to use ALL then try to subtract stuff. One could easily "sudo bash" then "passwd" or "sudo vi" and escape to shell then "passwd" etc,etc.
Its all in the man page.
-Maestr0
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
November 29th, 2005, 05:46 AM
#4
Junior Member
Alright I change the lines ...
Defaults syslog=auth,authpriv,user,daemon
id ALL = ALL, !/usr/bin/passwd
To ....
Defaults syslog=authpriv
id ALL=ALL
I just decide to give id full root rights, I think that having to authenicate to sudo a enough.
But I'm new I problemly wrong.
I'v also completely remove the line .....
Defaults verifypw=any
Defaults noexec
When I give other users roots rights I'll make sure that there limited number of commands and that the
specific commands have the NOEXEC.
Could you also disable a users ability with sudo with limited root commands to transcend into directories I don't
want them messing with.
-
November 29th, 2005, 10:40 AM
#5
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|