Hi,

absolutly,

sudo is highly recommended, & powerfull.
you can give many commands to each users, different permitions for each,
etc..

Defaults:ALL timestamp_timeout=0
permit permission to be back to user state after each sudo <command> action

so a user must redo another sudo <command> if he need a second root permission
level command.

this is a simple security improvement.

here is a very simple example :
Defaults    env_reset,tty_tickets

# Host alias specification
Host_Alias HOST = jaunty
Host_Alias LAN  = 192.168.1.0/255.255.255.0
Host_Alias HOME = HOST,LAN

# User alias specification

# Cmnd alias specification
Cmnd_Alias CRYPT   = /usr/bin/truecrypt
Cmnd_Alias USBDEV  = /usr/bin/unetbootin,/usr/bin/gnome-format
Cmnd_Alias APT     = /usr/bin/apt-get update,/usr/bin/apt-get upgrade
Cmnd_Alias UPDATES = /usr/bin/update-manager
Cmnd_Alias FUSE    = /usr/bin/Gmount-iso
Cmnd_Alias MYPROGS = CRYPT,USBDEV,APT,UPDATES,FUSE

# User privilege specification
root    ALL=(ALL) ALL

# Members of the admin group may gain root privileges
%admin HOME=(root) ALL
%admin HOME=(root) NOEXEC:/usr/bin/vim
iain   HOME=(root) NOPASSWD:MYPROGS

You can see here this is secured by host restricted permissions,
lan restrictions, & strict list of programs to be allowed to be launched.




> ----------------------------------------
> From: Jordi <jespa...@minibofh.org>
> Sent: Wed May 04 08:33:33 CEST 2011
> To: <misc@openbsd.org>
> Subject: Re: Need Suggestion: To limit the access of root account
>
>
> man sudo for granular permissions.
>
> Then man sh or man ksh or whatever shell you want to use to create a
> really simple script to show the required options.
>


Cordialement
Francois Pussault
3701 - 8 rue Marcel Pagnol
31100 ToulouseB 
FranceB 
+33 6 17 230 820 B  +33 5 34 365 269
fpussa...@contactoffice.fr

Reply via email to