[expert] Attn: Vincent - sudo article at mandrakesecure.net

Fri, 02 Aug 2002 13:15:39 -0700 

Hey Vince, I just read your article at mandrakesecure.net regarding sudo.  
Excellent article.  (Now, I just need to get going on the msec stuff so I 
can figure out how to tone down some of security level 4's more obnoxious 
habits.... :)

I like what you mentioned regarding using sudo to restrict access to the su 
command.  I've currently got sodo configured to allow anyone in the wheel 
group (which currently consists of me only, and isn't likely to change 
anytime soon... :) to run anything as root ("%wheel  ALL=(ALL)       
NOPASSWD: ALL"), and as a result of your suggestion in your article, I've 
removed the suid bit from /bin/su.  Assuming that msec level 4 doesn't 
decide to "repair" that later on, I've got that part covered.

Couple of questions for you:  If I've set up things like above, where 
someone in the wheel group can run anything, and then set up another entry 
which says that anyone in the adm group can run a more restricted subset of 
commands, what happens if the person (me, in this case) belongs to both 
groups?  Does the higher access (wheel group) take priority, or does the 
lower, more restricted access (adm group)  take priority?

The other question is this:  Is it possible to set up sshd so that it will 
use that key-based login thing you talked about in an earlier message for 
some users, while allowing password logins for others?  That would be a 
kind-of happy medium for me, so that I can restrict access to my personal 
account without making things needlessly complicated for my friends who 
access the machine?  I've already got sshd configured to deny direct root 
logins, so you have to login as someone else first and then su to root.  
Since I've just gotten rid of the suid bit off of /bin/su, I've made my 
personal login ID the "window to root." :-)  As I previously mentioned, I'm 
pretty careful about the passwords I pick for myself, but if I can enable 
the key-based login for myself (while allowing password logins for others), 
I could make it that much harder for someone to compromise my machine.

TIA!

                   --Dave
-- 
      David Guntner      GEnie: Just say NO!
 http://www.akaMail.com/pgpkey/davidg or key server
                 for PGP Public key



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Reply via email to