JP Vossen on 14 Dec 2007 18:54:02 -0000 |
Date: Fri, 14 Dec 2007 09:13:06 -0500 From: "Steve Morgan" <stevem.firefly@gmail.com> Subject: Re: [PLUG] AV software for Linux > No, still use sudo. You can set up the sudoers file in two different ways: A) the user can type in sudo <command> and it gets executed right away (like how it is set up default in Ubuntu), or B) the user can type in sudo <command> and it will prompt for their own password before execution. The theoretical virii will have no idea what the user's own password is and therefore would not be able to execute the command. Do indeed use sudo, but have it require their password to execute anything when attempting to execute a command with sudo. I'm not sure if the OP is interested in this granularity, but FYI you can also set up the sudoers file to: * Only allow certain users to sudo * Only allow certain users to sudo using certain commands * Many combinations and variations of the above'man sudoers' has the details, which I admit look a little hairy at first glance. It's actually easier than it looks (kinda), and there are lots of examples on the 'Net. Having said all of that, one of the tricky things with trying to restrict users is that many tools have a way to "shell out" and get a command prompt. So if I do not allow you to sudo foo, but I do allow you to sudo vi, you can sudo vi, shell out and run foo anyway. This is probably starting to get out-of-scope, but just in case. Sudo is a GREAT tool, but doing more than a binary root/not-root isn't trivial. Later, JP ----------------------------|:::======|------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ----------------------------|=========|------------------------------- Microsoft has single-handedly nullified Moore's Law. Innate design flaws of Windows make a personal firewall, anti-virus and anti-malware software mandatory. The resulting software arms race has effectively flattened Moore's Law on hardware running Windows. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|