Possible solution to sudoers file, comments please.

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
*Wanted input from the security group, read the comp newsgroup mostly and
ask that followups go there, if you don't mind. Will track your replies
wherever they go. Thank you.

Thanks guys for helping me to understand the wheel group and the sudoers
file. I will skip the wheel stuff, it really does not seem to apply much
to my FC3 setup. This is sort of what I had in mind for my user to be
able to do:

What I want for my user to do:

Use halt, reboot, shutdown, mount, and tcpdump commands.
Read all log files.

With sudo password:
All root privileges.

This was not a simple thing to figure out and this is what I came up
with. Would someone look this over and see if it seems okay or do you
find any "holes" in it?

I had no problems with viewing most logs except for the httpd logs. I
changed permissions on /var/log/httpd as follows:
drwxr-xr-x   2 root  root        4096 Jun  1 06:55 httpd

This lets me view the logs. I also added the root path to my own in my
$HOME/.bashrc file so that stuff like tcpdump would work:


export PATH

Now I took a really good sample sudoers file:

And used some of it to make my own sudoers file with visudo. This seems
to grant me the access that I need or want as a regular user with admin
[ohmster@ohmster etc]$ sudo cat sudoers
# sudoers file.
# This file MUST be edited with the 'visudo' command as root.
# See the sudoers man page for the details on how to write a sudoers

# Host alias specification

# User alias specification
User_Alias      ADMIN = ohmster

# Cmnd alias specification
Cmnd_Alias      KILL = /usr/bin/kill
Cmnd_Alias      PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias      SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias      HALT = /usr/sbin/halt
Cmnd_Alias      REBOOT = /usr/sbin/reboot
Cmnd_Alias      SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
                         /usr/local/bin/tcsh, /usr/bin/rsh, \
Cmnd_Alias      SU = /usr/bin/su
Cmnd_Alias      VIPW = /usr/bin/passwd, /usr/bin/chsh, \
Cmnd_Alias      NETVIEW = /usr/sbin/tcpdump, /bin/traceroute
Cmnd_Alias      EDIT = /usr/bin/vim, /bin/cat, /usr/bin/less, /bin/more \
                       /usr/bin/pico, /bin/touch, /bin/grep, /bin/awk \

# Defaults specification

# User privilege specification
root    ALL=(ALL) ALL

# part time sysadmins may run anything but need a password

# admin may run specified commands without password

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)

# Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

What do you think, any bad stuff here? I also log in with ssh, would like
to be able to restrict this sudo stuff to logins on my own LAN which uses
the IP range Is this something that can be
done from the sudoers file?

I put the EDIT group in there in order to run these commands as root for
editing or viewing files that are permissioned for root only, but this  
really does not seem to work as I intended. Might have to take that EDIT
group out.

Hey thanks guys, you have all been a really good help with this.
"Read Ohmster" in subject, bypass spam filter.
ohmster /a/t/ newsguy dot com

Re: Possible solution to sudoers file, comments please.

Quoted text here. Click to load it

I took out the EDIT part of my sudoers file, as Jack pointed out, one could
escape to a full blown root shell if one were to run vi as root like this.

That was a stupid idea, really. These programs like vim are programs that
anyone on the system can use anyway. I had wanted it to be that if I called
up a program like vim to edit a file and used the sudo command to prefix
it, like this:

sudo vi /etc/hosts

(vi aliases to vim on my system.)

It would run vi as root with root read and write access to the file, then I
could edit such a file without having to invoke an su shell. This is really
stupid for the reason that you pointed out, one could possibly escape to a
full blown root shell and this is a practice to be avoided for sure. Bad
idea, the EDIT stuff in my sudoers file has been removed. Thanks again for
pointing this out, Jack. I don't really need such a feature, as it is
rather redundant. I can do it like this instead:

su -c "vi /etc/hosts"

Yeah I am learning and at least trying to do it right.

"Read Ohmster" in subject, bypass spam filter.
ohmster /a/t/ newsguy dot com

Site Timeline