Re: SUDO vs root account question

• Previous message: Vladamir: "Re: Is Dynamic WEP Secure Enough?"
• In reply to: Tahis Vera: "SUDO vs root account question"
• Next in thread: xyberpix: "Re: SUDO vs root account question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Tahis Vera <tahis.vera@gmail.com>
Date: Wed, 23 Mar 2005 13:21:27 -0800

answers below

On Wed, 2005-03-23 at 10:47 +0200, Tahis Vera wrote:
> Hi all,
> I have two quick questions related to the 'sudo' command;
> putting a certain user Mr.X with ALL=(ALL)ALL permissions in the
> sudoers file, gives him COMPLETE root previleges? In other words, if I
> want that some people, for security reasons, stop using the root
> account/password for accessing the servers, by crating a sudo user
> with ALL previledges will decrease this risk? If this sudo account is
> compromised, will the cracker have COMPLETE root previleges?
>
yes, try running `sudo su -`

Read through the man page to lead how to secure this as much as
possible.

It would also be better (in my mind) if there was no "group" user
account. Give the users access as required on a per user basis. Every
time sudo is run it gets logged telling me who did what using sudo and
failed attempts to run sudo logged and e-mailed to root (aliased to me).

> The other questions is how to set the time (in sudoers file) for the
> user to work with sudo, without having to write the password (let's
> say that I want to work for 20 minutes without having to write the
> password again)

according to the sudoers man page (on my amd64 debian system)

timestamp_timeout
      Number of minutes that can elapse before sudo will ask for a
      passwd again. The default is 15. Set this to 0 to always prompt
      for a password. If set to a value less than 0 the user's times-
      tamp will never expire. This can be used to allow users to create
      or delete their own timestamps via sudo -v and sudo -k respec-
      tively

>
> regards
>
> Tahis

-- 
Jacob Bresciani
Etraffic Solutions
Systems / Network Administrator
BUS (250) 658-8238 ex 39
FAX (250) 658-5936

• Previous message: Vladamir: "Re: Is Dynamic WEP Secure Enough?"
• In reply to: Tahis Vera: "SUDO vs root account question"
• Next in thread: xyberpix: "Re: SUDO vs root account question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: SUDO vs root account question ... "sudo su -" will be his password, I would much rather add all the ... > want that some people, for security reasons, stop using the root ... If this sudo account is ... will the cracker have COMPLETE root previleges? ... (Security-Basics) SUDO vs root account question ... I have two quick questions related to the 'sudo' command; ... If this sudo account is ... will the cracker have COMPLETE root previleges? ... The other questions is how to set the time (in sudoers file) for the ... (Security-Basics) Re: SUDO vs root account question ... gives him COMPLETE root previleges? ... If this sudo account is ... sudo decreases surely the risk to compromise actions as a root user ... (Security-Basics) Re: SUDO vs root account question ... Side note - you can restrict what things can be ran, man sudo.. ... > That would give him root privs, he could sudo su -, and that's that. ... will the cracker have COMPLETE root previleges? ... (Security-Basics) Re: SUDO vs root account question ... > sudoers file, ... > account/password for accessing the servers, by crating a sudo user ... If this sudo account ... will the cracker have COMPLETE root previleges? ... (Security-Basics)