Possible solution to sudoers file, comments please.

From: Ohmster (notareal_at_emailaddress.com)
Date: 06/04/05 

Date: Sat, 04 Jun 2005 16:33:37 GMT

*Wanted input from the security group, read the comp newsgroup mostly and
ask that followups go there, if you don't mind. Will track your replies
wherever they go. Thank you.

Thanks guys for helping me to understand the wheel group and the sudoers
file. I will skip the wheel stuff, it really does not seem to apply much
to my FC3 setup. This is sort of what I had in mind for my user to be
able to do:

What I want for my user to do:

Use halt, reboot, shutdown, mount, and tcpdump commands.
Read all log files.

With sudo password:
All root privileges.

This was not a simple thing to figure out and this is what I came up
with. Would someone look this over and see if it seems okay or do you
find any "holes" in it?

I had no problems with viewing most logs except for the httpd logs. I
changed permissions on /var/log/httpd as follows:
drwxr-xr-x 2 root root 4096 Jun 1 06:55 httpd

This lets me view the logs. I also added the root path to my own in my
$HOME/.bashrc file so that stuff like tcpdump would work:

PATH=
$PATH:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin
:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin

export PATH

Now I took a really good sample sudoers file:
http://www.courtesan.com/sudo/sample.sudoers

And used some of it to make my own sudoers file with visudo. This seems
to grant me the access that I need or want as a regular user with admin
privileges:
---------------------------------------------------------------------
[ohmster@ohmster etc]$ sudo cat sudoers
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers
file.
#

# Host alias specification

# User alias specification
User_Alias ADMIN = ohmster

# Cmnd alias specification
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Cmnd_Alias REBOOT = /usr/sbin/reboot
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
                         /usr/local/bin/tcsh, /usr/bin/rsh, \
                         /usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias VIPW = /usr/bin/passwd, /usr/bin/chsh, \
                       /usr/bin/chfn
Cmnd_Alias NETVIEW = /usr/sbin/tcpdump, /bin/traceroute
Cmnd_Alias EDIT = /usr/bin/vim, /bin/cat, /usr/bin/less, /bin/more \
                       /usr/bin/pico, /bin/touch, /bin/grep, /bin/awk \
                       /bin/sed

# Defaults specification

# User privilege specification
root ALL=(ALL) ALL

# part time sysadmins may run anything but need a password
ADMIN ALL = ALL

# admin may run specified commands without password
ADMIN ALL = NOPASSWD: NETVIEW, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,
EDIT

# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL)

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
---------------------------------------------------------------------

What do you think, any bad stuff here? I also log in with ssh, would like
to be able to restrict this sudo stuff to logins on my own LAN which uses
the IP range 192.168.0.1 192.168.0.255. Is this something that can be
done from the sudoers file?

I put the EDIT group in there in order to run these commands as root for
editing or viewing files that are permissioned for root only, but this
really does not seem to work as I intended. Might have to take that EDIT
group out.

Hey thanks guys, you have all been a really good help with this. 

-- 
~Ohmster
"Read Ohmster" in subject, bypass spam filter.
ohmster /a/t/ newsguy dot com

Relevant Pages

  • Possible solution to sudoers file, comments please.
    ... All root privileges. ... And used some of it to make my own sudoers file with visudo. ... to grant me the access that I need or want as a regular user with admin ...
    (comp.os.linux.security)
  • Re: Probleme mit Sudo
    ... # This file MUST be edited with the 'visudo' command as root. ... # See the sudoers man page for the details on how to write a sudoers file. ...
    (de.comp.os.unix.linux.misc)
  • Opening applications as a different user
    ... open an instance of Mozilla as himself, ... Root GUI account is not used in this household, ... # See the sudoers man page for the details on how to write a sudoers file. ...
    (alt.os.linux.suse)
  • Re: Fwd: network prob, now unknown prob
    ... admin privilages is able to run. ... # See the man page for details on how to write a sudoers file. ...
    (Ubuntu)
  • Re: The Myth of the secure Mac
    ... >> Which needs root password. ... > made authorized users of sudo in the sudoers file. ...
    (comp.sys.mac.advocacy)