Re: sudo logging
interesting indeed
Does anyone have any experience with:
http://freshmeat.net/projects/sudoscript/
On Fri, Jul 24, 2009 at 9:55 AM, Berthold Cogel<cogel@uni-koeln.de> wrote:
> Chris Davies schrieb:
>> Berthold Cogel <cogel@uni-koeln.de> wrote:
>>> We're doing somthing like this in /etc/sudoers:
>>
>>
>>> Cmnd_Alias SHELLS = /bin/sh, \
>>> /bin/bash, \
>> [...]
>>
>>> TRUSTED_USR ALL = NOPASSWD: ALL ,!SHELLS, NOROOT
>>
>> Surely this breaks trivially?
>>
>> ln -s /bin/bash /tmp/somethingelse
>> sudo /tmp/somethingelse
>>
>> Chris
>>
>>
>
> Of course you're right...
>
> But in this case TRUSTED_USR means what it says... It's only to prevent
> colleagues to shoot themselves.
>
> For the very special setup on some of our systems they need a lot of
> permissions. But we don't want them do be root for some reasons.
> Surely they can break the setup if they want. But they gain nothing if
> they do.
>
> It's not a setup we make for every user. But it would be a waste to
> define each single command in this case. If they really need to be root,
> they can use sudosh.
>
>
> Berthold
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: