[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sudoer security problem on server

Nate Bargmann wrote:
> I'm no security or sudo expert, but it seems to me that the devs should
> only have access to the commands they need.  For example if they need
> to install to /usr/local/ using `make install' you can enable that
> specific command.  For example I did that for myself (single user box)
> so that I could run `sudo make install|uninstall' without having to
> enter my password:
> %USER   HOSTNAME=NOPASSWD: /usr/bin/make
> I replace USER and HOSTNAME with my local values.  The sudoers man page
> is quite extensive as well.

This will allow them to run make as root. Not only they will be able to
install anywhere (not only under /usr/local), but they can run any
command by creating a Makefile that does what they want to do.

If one wants to restrict access to a directory, file permissions (or
ACLs) are more efficient.

	A musical reviewer admitted he always praised the first show of a
new theatrical season.  "Who am I to stone the first cast?"


Reply to: