Re: sudo logging

To: debian-user@lists.debian.org
Subject: Re: sudo logging
From: Berthold Cogel <cogel@uni-koeln.de>
Date: Fri, 24 Jul 2009 15:55:57 +0200
Message-id: <[🔎] 4A69BD6D.5080403@uni-koeln.de>
In-reply-to: <[🔎] n24nj6xjep.ln2@news.roaima.co.uk>
References: <cLFSe-7YW-7@gated-at.bofh.it> <d0JTT-65t-35@gated-at.bofh.it> <[🔎] n24nj6xjep.ln2@news.roaima.co.uk>

Chris Davies schrieb:
> Berthold Cogel <cogel@uni-koeln.de> wrote:
>> We're doing somthing like this in /etc/sudoers:
> 
> 
>> Cmnd_Alias      SHELLS =        /bin/sh, \
>>                                /bin/bash, \
> 				[...]
> 
>> TRUSTED_USR  ALL = NOPASSWD:    ALL ,!SHELLS, NOROOT
> 
> Surely this breaks trivially?
> 
>     ln -s /bin/bash /tmp/somethingelse
>     sudo /tmp/somethingelse
> 
> Chris
> 
> 

Of course you're right...

But in this case TRUSTED_USR means what it says... It's only to prevent
colleagues to shoot themselves.

For the very special setup on some of our systems they need a lot of
permissions. But we don't want them do be root for some reasons.
Surely they can break the setup if they want. But they gain nothing if
they do.

It's not a setup we make for every user. But it would be a waste to
define each single command in this case. If they really need to be root,
they can use sudosh.

Berthold

Reply to:

Follow-Ups:
- Re: sudo logging
  - From: Mag Gam <magawake@gmail.com>

References:
- Re: sudo logging
  - From: Chris Davies <chris-usenet@roaima.co.uk>

Prev by Date: Re: Sadly... (was Re: normal firefox for debian lenny 64bit?)
Next by Date: Re: KDE3 konsole on KDE4
Previous by thread: Re: sudo logging
Next by thread: Re: sudo logging
Index(es):
- Date
- Thread