RE: sudo examples






Mazda Motor Logistics Europe NV, Blaasveldstraat 162, B-2830 Willebroek
VAT BE 0406.024.281, RPR Mechelen, ING 310-0092504-52, IBAN : BE64 3100 0925 0452, SWIFT : BBRUBEBB

-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-
bounces@xxxxxxxxxx] On Behalf Of frank cui
Sent: donderdag 27 oktober 2011 2:21
To: General Red Hat Linux discussion list
Subject: Re: sudo examples

On Wed, Oct 26, 2011 at 8:31 PM, Steven Barre <
steven@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Hello!

I understand how to configure sudo, but I don't get how to get real-world
use from it. Is it best to write custom scripts for the things that need
doing and give sudo access to those scripts?

Allowing the execution of shell scripts via sudo adds potential security issues. If the script can be modified or the behavior of the executing shell can be changed the user may gain more rights. See e.g. (first hit in google, there will be other examples) http://www.sudo.ws/pipermail/sudo-announce/2005-November/000053.html.

So scripts are probably not the recommended approach.

Most of what I do as root is done because of file permissions. For example,
if I want a user to have access to a conf file but don't want to change the
file permissions of the conf file, how can I do this with sudo?


I'm not sure about the solution using sudo, but definitely you could setup
an ACL for the file for more granular control over it.

ACL's may indeed be a better solution to this approach because allowing a user to execute e.g. vi as root effectively grants complete access due to the possibility to use shell escapes in vi.
This can partly be addressed by using restricted vi but I haven't investigated that option further so I can't comment on that.

Do you have any examples of how you use sudo to allow users to do some
basic tasks?


The sudo list, as you may know, can allow users to do specific categories of
tasks instead of authorizing all the root commands to them. For example, you
can delegate the abilities to restart a network service to a specific user.

This is also our primary use case, off course init scripts are shell scripts too.

Regards

Bram

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list