Re: Configure sudo

To: debian-user@lists.debian.org
Subject: Re: Configure sudo
From: rjc <rjc@linuxstuff.pl>
Date: Fri, 25 May 2012 11:08:51 +0100
Message-id: <[🔎] 20120525100851.GA13117@linuxstuff.pl>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 80E5D5CC-AE42-43E8-9125-D9C790B82970@concepts-and-training.de>
References: <[🔎] 80E5D5CC-AE42-43E8-9125-D9C790B82970@concepts-and-training.de>

On Fri, May 25, 2012 at 09:13:05AM BST, Denis Witt wrote:
> sudo su must be disabled of course, also /etc/sudoers must be write protected, even for root. This is no problem if you use chattr +i /etc/sudoers.

/etc/sudoers file is read only by default.

> But i think enable all commands and disallow some, line su and all known shells ;), isn't a good way to go. I would like to disallow all commands by default but allow some of them:

What's wrong with specifying ONLY the commands which a user is allowed
to run as root?

> * restarting of web server
> * editing of php.ini
> * file transfer (ftp-ssl, sftp, http, etc.)
> * chmod/chown (some files only)
> * git, svn, rcs
> * some editors
> * apt-get install but not remove
> * dpkg-reconfigure
> 
> What else?

What else is he supposed to do?

> When i did some tests with sudoers i wasn't able to disallow certain commands with parameters like:
> 
> passwd root
> 
> The only way was to disable passwd at all, which isn't nice. Is there another way to allow some parameters for certain commands?

Yes, simply specify the commands with their options:

user	host = /path/to/command option

You might find aliases useful.

man sudoers

Cheers,
-- 
rjc

Reply to:

References:
- Configure sudo
  - From: Denis Witt <denis.witt@concepts-and-training.de>

Prev by Date: RE: Configure sudo
Next by Date: Re: Configure sudo
Previous by thread: Re: Configure sudo
Next by thread: Re: Configure sudo
Index(es):
- Date
- Thread