HPE Community
Operating System - HP-UX
1834908 Members
3081 Online
110071 Solutions
New Discussion

Re: control access to sudo

 
sujith_2
Occasional Contributor

‎07-15-2005 04:16 PM

‎07-15-2005 04:16 PM

control access to sudo

Hi all,
I like to use sudo for sysadmin purpose , instead of direct root login ..
But i could see , if i give excute permission for vi , rm , cp .( simple commands which are needed frequently used by sysadmin ) the user who have right to execute sudo , can delete/alter the sudo log or /etc/suduers itself !!.
Is there any way to control this...
One possible way is to keep the logs in a remote server...
Is there any otherway , with which we can control access to a particular file ?( suduers should not alter specific files )?
0 Kudos
Reply
6 REPLIES 6
Devender Khatana
Honored Contributor

‎07-15-2005 04:36 PM

‎07-15-2005 04:36 PM

Re: control access to sudo

Hi,

vi ,rm & cp are always available to all users for acting on the files they have permissions to play with & should not be put to sudoer. If you put these to sudoer of a normal user then obviously as he is executing vi through sudo & it does not count for arguments (here filename) it will access the file specified in argument with previledge of root.

Putting logs somewhere else will also not this problem because there are so many other files in system which a nornal user is not supposed to even open them.

So plan the commands properly which you want to put in sudoers for indivisual users.

Also you can not keep track of what the changes were done to file after editing. Your logs will only say the file edited by this user at this time.


Feel free to revert if still stucked.

HTH,
Devender
Impossible itself mentions "I m possible"
0 Kudos
Reply
sujith_2
Occasional Contributor

‎07-15-2005 04:44 PM

‎07-15-2005 04:44 PM

Re: control access to sudo

So how should I go ahead to implement a secured system with more than one/two system administrators ?.
0 Kudos
Reply
Devesh Pant_1
Esteemed Contributor

‎07-15-2005 04:49 PM

‎07-15-2005 04:49 PM

Re: control access to sudo

Sujith,
well you can track who sudoed to root through the logs and with more than one system admins you have something called mutual trust.

DP
0 Kudos
Reply
Devender Khatana
Honored Contributor

‎07-15-2005 05:01 PM

‎07-15-2005 05:01 PM

Re: control access to sudo

Hi,

What and all do you expect your system administrators to work? You really can not track of events completely. Morover you can have track when who did what by viewing the logs.

The real purpose of sudo is to distribute responsibilities of sys admin. But again one type of job is subjected to by done by one administrator only. Something like SAM restricted could also help if you can achive these jobs using SAM.

You will have to have faith on your administrators atleast.

HTH,
Devender
Impossible itself mentions "I m possible"
0 Kudos
Reply
Gopi Sekar
Honored Contributor

‎07-15-2005 06:48 PM

‎07-15-2005 06:48 PM

Re: control access to sudo


Giving sudo access for cp, rm, vi is as good as giving empty root password.

Because with sudo rm the person can simply delete /. With sudo vi the person can modify any files (including passwd) to suite is needs.

Try to avoid these through sudo. One workaround to this problem is: if you are very sure about what files and directories the person can copy, delete and edit then, create a simple shell script menu which will be executed as root.

The person whenever logs in will be presented with this menu, and all he has access to is type the option number for the task he wants to do and script will do for him.

If that is not possible, then here is another method: you can configure sudo to execute a command only if it has specified arguments list. The user can execute sudo only with this command line argument list and nothing else. check man sudoers for this option. By the way this option is available on my linux box (FC4) i dont know about HPUX. I am sorry if it is not there

Regards,
Gopi
Never Never Never Giveup
0 Kudos
Reply
Robert Fritz
Regular Advisor

‎07-18-2005 12:31 AM

‎07-18-2005 12:31 AM

Re: control access to sudo

You may also want to take a look at the new Role-Based Access Controls,
http://docs.hp.com/en/5991-0709/ch01s01.html

The command "privrun" is similar to sudo, with similar issues, but is shipped/supported as part of HP-UX. RBAC/Privrun is also more flexible.
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.