changes to the use of sudo on project machines
- To: firstname.lastname@example.org, email@example.com
- Cc: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com
- Subject: changes to the use of sudo on project machines
- From: Peter Palfrader <firstname.lastname@example.org>
- Date: Wed, 17 Sep 2008 02:54:36 +0200
- Message-id: <20080917005436.GW9633@anguilla.noreply.org>
- Mail-followup-to: Peter Palfrader <email@example.com>, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com
[please follow up to -project or -admin or just me, depending on what
seems more appropriate.]
if you use sudo on project machines this will affect you.
The short version:
If you want to use sudo in the future, go to http://db.debian.org/ and set a
sudo password for you.
A slightly longer version:
We are trying to limit the exposure of login and ldap passwords on project
machines. Currently everybody who is using sudo on a project machine has
to use their login and ldap password, which in case of a compromise can be
used to access other machines and change the user's settings in ldap.
Since sudo uses the pam library to authenticate users, we can make use of a
dedicated passwords file using libpam-pwdfile for authentication to sudo.
Userdir-ldap (http://db.debian.org) has been modified to allow users to set a
(per host if desired) password for their use of sudo. After setting a new sudo
password on the web interface this change has to be confirmed by sending a
signed mail - the web interface should instruct you accordingly. This
confirmation is intended to prevent an attacker who has learned a login/ldap
password to elevate this to sudo-access.
We are slowly updating the machines to use the new config. Please see
https://dsawiki.debian.org/dsawiki/New-Sudo for per machine progress
[is there a list that all buildd admins are on?]
| .''`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/