Re: SUDOERS: how to setup in a school
From: Edward Buck (ed_at_bashware_REMOVEME_.net)
Date: 10/18/04
- Next message: Michael Heiming: "Re: SUDOERS: how to setup in a school"
- Previous message: Newsbox: "Re: Monitoring outgoing IRC"
- In reply to: Michael Heiming: "Re: SUDOERS: how to setup in a school"
- Next in thread: Michael Heiming: "Re: SUDOERS: how to setup in a school"
- Reply: Michael Heiming: "Re: SUDOERS: how to setup in a school"
- Reply: Tim Haynes: "Re: SUDOERS: how to setup in a school"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 17 Oct 2004 18:22:30 -0700
Michael Heiming wrote:
> In comp.os.linux.security Dr. Robert Meier <worsel@c112927lin.svinfra.compuware.com>:
>
>>Edilmar Alves wrote:
>>
>>>I'm teacher of a Linux course, and I'm using Fedora Core 2 to teach
>>>how to configure services like DNS, Apache, Proftp, Postfix, SSH,
>>>Samba, NFS and NIS. But, for convenience, the first students have
>>>to login using ROOT user or a user created with ROOT privileges,
>>>to allow to modify configuration files, and restart services into
>>>/etc/rc.d/init.d.
>
>>>However, I'd like to know if it is possible to configure SUDOERS
>>>for this situation. There are many config. files to change and many
>>>services to start/stop, and I'd like to create "student users"
>>>with no ROOT access but with privileges to do these configs.
>>>Is it possible? Does someone has some sample of this?
>
>>Yes.
>
> Not really, since standard editors like vim allow shell escapes,
> as Keith already mentioned, which means you can do anything.
Yes, you can. These students are not hackers who are going to exploit
security holes in available applications. I understand paranoia about
security but the OP asked about a simple solution to a simple problem.
Sudoers is the right tool for this. It allows you to provide very
controlled root access.
You are right about vim having an escape feature. That's why you don't
provide access to it! When I provide vi access via sudo, it's always
nvi only, which is more secure than vim. Nano (pico clone) is another
editor that seems more or less secure. Also, you can limit the rights
of the user only to edit certain files. Here's a snippet from my
sudoers file:
Cmnd_Alias WWWMOD = /usr/bin/vi *httpd.conf*, \
/usr/bin/vi *php.ini*, \
/usr/bin/nano *httpd.conf*, \
/usr/bin/nano *php.ini*, \
/etc/init.d/apache, \
/etc/init.d/apache-ssl, \
/etc/init.d/httpd
With the above ruleset, the user is limited to running vi only on files
that have httpd.conf and php.ini in their names. The user is also
allowed to restart apache.
The other nice thing about sudo is that it provides an audit trail. If
a student breaks something, you will know how.
Ed
- Next message: Michael Heiming: "Re: SUDOERS: how to setup in a school"
- Previous message: Newsbox: "Re: Monitoring outgoing IRC"
- In reply to: Michael Heiming: "Re: SUDOERS: how to setup in a school"
- Next in thread: Michael Heiming: "Re: SUDOERS: how to setup in a school"
- Reply: Michael Heiming: "Re: SUDOERS: how to setup in a school"
- Reply: Tim Haynes: "Re: SUDOERS: how to setup in a school"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
