Re: [opensuse] Re: Should openSUSE review it's Security Policies?



* Roger Oberholtzer <roger@xxxxxx> [03-01-12 02:40]:
On Thu, 2012-03-01 at 00:17 +0100, jdd wrote:

read man sudoer

See my earlier response to Patrick on this. sudo is all-or-nothing for
the program. You cannot restrict a single program to a subset of root
permissions. You get them all.


This is *not* so. Have you looked at /etc/sudoers?

<quote>

##
## User alias specification
##
## Groups of users. These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias ADMINS = millert, dowdy, mikef
##
## Cmnd alias specification
##
## Groups of commands. Often used to group related commands together.
# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
# /usr/bin/pkill, /usr/bin/top

##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!/sbin/reboot !log_output

## In the default (unconfigured) configuration, sudo asks for the root
## password.
## This allows use of an ordinary user account for administration of a
## freshly
## installed system. When configuring sudo, delete the two
## following lines:
Defaults targetpw # ask for the password of the target user i.e. root
ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
</quote>

from the man page
DESCRIPTION

sudo allows a permitted user to execute a command as the superuser
or another user, as specified by the security policy. The real and
effective uid and gid are set to match those of the target user, as
specified in the password database, and the group vector is
initialized based on the group database (unless the -P option was
specified).


and users can be added to groups which have permissions to do *specific*
things, ie: wheel, wwwrun

--
(paka)Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711
http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2
http://en.opensuse.org openSUSE Community Member
Registered Linux User #207535 @ http://linuxcounter.net
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx