Re: Configure sudo
On Fri, May 25, 2012 at 4:13 AM, Denis Witt
<denis.witt@concepts-and-training.de> wrote:
>
> we're running a server for a german bank. Of course we want to keep our services secure. A partner of us has to install a web based service (php, python and sql) on this machine. This partner will also be in charge in support and maintenance of this software.
>
> So he needs access to the server, sftp isn't enough. There may be changes in the web server php.ini necessary from time to time. The web server needs some restarting, etc. Files must be edited and so on.
>
> sudo might be a fine solution, but sudo is way too mighty in it's defaults. I know that you can allow and disallow certain commands only.
>
> sudo su must be disabled of course, also /etc/sudoers must be write protected, even for root. This is no problem if you use chattr +i /etc/sudoers.
>
> But i think enable all commands and disallow some, line su and all known shells ;), isn't a good way to go. I would like to disallow all commands by default but allow some of them:
>
> * restarting of web server
> * editing of php.ini
> * file transfer (ftp-ssl, sftp, http, etc.)
> * chmod/chown (some files only)
> * git, svn, rcs
> * some editors
> * apt-get install but not remove
> * dpkg-reconfigure
>
> What else?
>
> When i did some tests with sudoers i wasn't able to disallow certain commands with parameters like:
>
> passwd root
>
> The only way was to disable passwd at all, which isn't nice. Is there another way to allow some parameters for certain commands?
Many of these commands don't need root access. Why don't you just
determine the commands that have to be run as root, create a group of
people who'll use these commands ("partner") or a User_Alias of people
who'll use these commands ("PARTUSR"), create a "Cmnd_Alias"
("PARTCMD") with all these commands, and then create the following
sudo entry
%partner ALL = (root) PARTCMD
or
PARTUSR ALL = (root) PARTCMD
You can/should also replace the "ALL" by the server's hostname.
Reply to: