Re: sudoer security problem on server
Nate Bargmann wrote:
> I'm no security or sudo expert, but it seems to me that the devs should
> only have access to the commands they need. For example if they need
> to install to /usr/local/ using `make install' you can enable that
> specific command. For example I did that for myself (single user box)
> so that I could run `sudo make install|uninstall' without having to
> enter my password:
>
> %USER HOSTNAME=NOPASSWD: /usr/bin/make
>
> I replace USER and HOSTNAME with my local values. The sudoers man page
> is quite extensive as well.
>
This will allow them to run make as root. Not only they will be able to
install anywhere (not only under /usr/local), but they can run any
command by creating a Makefile that does what they want to do.
If one wants to restrict access to a directory, file permissions (or
ACLs) are more efficient.
--
A musical reviewer admitted he always praised the first show of a
new theatrical season. "Who am I to stone the first cast?"
Eduardo M KALINOWSKI
eduardo@kalinowski.com.br
Reply to: