Date: Thu, 25 Mar 1999 21:09:36 -0500 (EST) From: David Gilbert <dgilbert@velocet.ca> To: Jeff Aitken <jaitken@aitken.com> Cc: drosih@rpi.edu (Garance A Drosihn), dillon@apollo.backplane.com, bmah@CA.Sandia.GOV, freebsd-security@FreeBSD.ORG Subject: Re: sudo (was Re: Kerberos vs SSH) Message-ID: <14074.60512.17143.428754@trooper.velocet.ca> In-Reply-To: <199903252320.SAA07455@eagle.aitken.com> References: <v04011701b32060ab1ee4@[128.113.24.47]> <199903252320.SAA07455@eagle.aitken.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Jeff" == Jeff Aitken <jaitken@aitken.com> writes: Jeff> Out of curiosity, to what programs do you typically grant people Jeff> sudo access? Is it not true that most "useful" programs a Jeff> sysadmin might need to do his job contain some way of exec'ing Jeff> another program? For example, you can't use sudo to grant Jeff> access to a text editor of any sort without implicitly giving Jeff> full root access. There are a number of cool things you can do. One thing you can do with sudo is specify (exactly or with a regular expression) the arguments that someone is allowed to call a command with. One common one we have on our workstations is: mount /dev/fd[01]a /a umount /a Another use we put it to is allowing people with less privs to run scripts which operate as root. Account management and other mundane tasks. Sudo allows you to protect the environment of the called script such that sane restrictions can be made on what it can do. This obviously requires a lot of effort... and is easily done wrong, but is highly useful in freeing up time of higher level admins. There is also a strong notion of grouping in sudo... and I usually divide people into 3 groups: the world is generally untrusted --- they will try to hack you; the trusted user (who possibly owns the box) without much experience --- you are trying to prevent him from doing something dumb enough to create work for you; and the fully trusted employee where it's just easier not to have root passwords given to everyone. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14074.60512.17143.428754>