[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Configure sudo

Having a quick google look, perhaps this could be a solution for your problem:

http://www.unix.com/unix-advanced-expert-users/39736-sudoer-file-controlling-parameters.html

I'm sure though you can specify the parameters used in the sudoers file, one of my (private) machines is set up in that way to allow others only to restart Apache.
Will have to double check though at a later point, no access to it from work place...


> -----Original Message-----
> From: Denis Witt [mailto:denis.witt@concepts-and-training.de]
> Sent: 25 May 2012 09:13
> To: debian-user@lists.debian.org
> Subject: Configure sudo
>
> Hi List,
>
> we're running a server for a german bank. Of course we want to keep our
> services secure. A partner of us has to install a web based service (php,
> python and sql) on this machine. This partner will also be in charge in support
> and maintenance of this software.
>
> So he needs access to the server, sftp isn't enough. There may be changes in
> the web server php.ini necessary from time to time. The web server needs
> some restarting, etc. Files must be edited and so on.
>
> sudo might be a fine solution, but sudo is way too mighty in it's defaults. I
> know that you can allow and disallow certain commands only.
>
> sudo su must be disabled of course, also /etc/sudoers must be write
> protected, even for root. This is no problem if you use chattr +i /etc/sudoers.
>
> But i think enable all commands and disallow some, line su and all known
> shells ;), isn't a good way to go. I would like to disallow all commands by
> default but allow some of them:
>
> * restarting of web server
> * editing of php.ini
> * file transfer (ftp-ssl, sftp, http, etc.)
> * chmod/chown (some files only)
> * git, svn, rcs
> * some editors
> * apt-get install but not remove
> * dpkg-reconfigure
>
> What else?
>
> When i did some tests with sudoers i wasn't able to disallow certain
> commands with parameters like:
>
> passwd root
>
> The only way was to disable passwd at all, which isn't nice. Is there another
> way to allow some parameters for certain commands?
>
> Thanks!
>
> Best regards
> Denis
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/80E5D5CC-AE42-43E8-9125-
> D9C790B82970@concepts-and-training.de


This email has been sent from Gala Coral Group Limited ("GCG") or a subsidiary or associated company. GCG is registered in England with company number 07254686.   Registered office address: 71 Queensway, London W2 4QH, United Kingdom; website: www.galacoral.com.

This e-mail message (and any attachments) is confidential and may contain privileged and/or proprietorial information protected by legal rules.  It is for use by the intended addressee only. If you believe you are not the intended recipient or that the sender is not authorised to send you the email, please return it to the sender (and please copy it to hq@galacoral.com) and then delete it from your computer.  You should not otherwise copy or disclose its contents to anyone.

Except where this email is sent in the usual course of business, the views expressed are those of the sender and not necessarily ours.  We reserve the right to monitor all emails sent to and from our businesses, to protect the businesses and to ensure compliance with internal policies.

Emails are not secure and cannot be guaranteed to be error-free, as they can be intercepted, amended, lost or destroyed, and may contain viruses; anyone who communicates with us by email is taken to accept these risks.  GCG accepts no liability for any loss or damage which may be caused by software viruses.
Reply to: