topic Re: control access to sudo in Operating System - HP-UX

control access to sudo

sujith_2 — Fri, 15 Jul 2005 23:16:31 GMT

Hi all,
I like to use sudo for sysadmin purpose , instead of direct root login ..
But i could see , if i give excute permission for vi , rm , cp .( simple commands which are needed frequently used by sysadmin ) the user who have right to execute sudo , can delete/alter the sudo log or /etc/suduers itself !!.
Is there any way to control this...
One possible way is to keep the logs in a remote server...
Is there any otherway , with which we can control access to a particular file ?( suduers should not alter specific files )?

Re: control access to sudo

Devender Khatana — Fri, 15 Jul 2005 23:36:12 GMT

Hi,

vi ,rm & cp are always available to all users for acting on the files they have permissions to play with & should not be put to sudoer. If you put these to sudoer of a normal user then obviously as he is executing vi through sudo & it does not count for arguments (here filename) it will access the file specified in argument with previledge of root.

Putting logs somewhere else will also not this problem because there are so many other files in system which a nornal user is not supposed to even open them.

So plan the commands properly which you want to put in sudoers for indivisual users.

Also you can not keep track of what the changes were done to file after editing. Your logs will only say the file edited by this user at this time.

Feel free to revert if still stucked.

HTH,
Devender

Re: control access to sudo

sujith_2 — Fri, 15 Jul 2005 23:44:37 GMT

So how should I go ahead to implement a secured system with more than one/two system administrators ?.

Re: control access to sudo

Devesh Pant_1 — Fri, 15 Jul 2005 23:49:51 GMT

Sujith,
well you can track who sudoed to root through the logs and with more than one system admins you have something called mutual trust.

DP

Re: control access to sudo

Devender Khatana — Sat, 16 Jul 2005 00:01:46 GMT

Hi,

What and all do you expect your system administrators to work? You really can not track of events completely. Morover you can have track when who did what by viewing the logs.

The real purpose of sudo is to distribute responsibilities of sys admin. But again one type of job is subjected to by done by one administrator only. Something like SAM restricted could also help if you can achive these jobs using SAM.

You will have to have faith on your administrators atleast.

HTH,
Devender

Re: control access to sudo

Gopi Sekar — Sat, 16 Jul 2005 01:48:00 GMT

Giving sudo access for cp, rm, vi is as good as giving empty root password.

Because with sudo rm the person can simply delete /. With sudo vi the person can modify any files (including passwd) to suite is needs.

Try to avoid these through sudo. One workaround to this problem is: if you are very sure about what files and directories the person can copy, delete and edit then, create a simple shell script menu which will be executed as root.

The person whenever logs in will be presented with this menu, and all he has access to is type the option number for the task he wants to do and script will do for him.

If that is not possible, then here is another method: you can configure sudo to execute a command only if it has specified arguments list. The user can execute sudo only with this command line argument list and nothing else. check man sudoers for this option. By the way this option is available on my linux box (FC4) i dont know about HPUX. I am sorry if it is not there

Regards,
Gopi

Re: control access to sudo

Robert Fritz — Mon, 18 Jul 2005 07:31:54 GMT

You may also want to take a look at the new Role-Based Access Controls,
http://docs.hp.com/en/5991-0709/ch01s01.html

The command "privrun" is similar to sudo, with similar issues, but is shipped/supported as part of HP-UX. RBAC/Privrun is also more flexible.