Re: [PLUG] AV software for Linux (sudo)

Art Alexion on 14 Dec 2007 19:30:58 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] AV software for Linux (sudo)

From: Art Alexion <art.alexion@verizon.net>

To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Subject: Re: [PLUG] AV software for Linux (sudo)

Date: Fri, 14 Dec 2007 14:30:05 -0500

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: KMail/1.9.6 (enterprise 0.20070907.709405)

On Friday 14 December 2007 13:53:53 JP Vossen wrote: > > Date: Fri, 14 Dec 2007 09:13:06 -0500 > > From: "Steve Morgan" <stevem.firefly@gmail.com> > > Subject: Re: [PLUG] AV software for Linux > > > > No, still use sudo. You can set up the sudoers file in two different > > ways: A) the user can type in sudo <command> and it gets executed > > right away (like how it is set up default in Ubuntu), or B) the user > > can type in sudo <command> and it will prompt for their own password > > before execution. The theoretical virii will have no idea what the > > user's own password is and therefore would not be able to execute the > > command. Do indeed use sudo, but have it require their password to > > execute anything when attempting to execute a command with sudo. > > I'm not sure if the OP is interested in this granularity, but FYI you > can also set up the sudoers file to: > * Only allow certain users to sudo > * Only allow certain users to sudo using certain commands > * Many combinations and variations of the above > > 'man sudoers' has the details, which I admit look a little hairy at > first glance. It's actually easier than it looks (kinda), and there are > lots of examples on the 'Net. > > Having said all of that, one of the tricky things with trying to > restrict users is that many tools have a way to "shell out" and get a > command prompt. So if I do not allow you to sudo foo, but I do allow > you to sudo vi, you can sudo vi, shell out and run foo anyway. This is > probably starting to get out-of-scope, but just in case. Sudo is a > GREAT tool, but doing more than a binary root/not-root isn't trivial. > My concern is this. The only way I would use sudo on the floor of an enterprise with not-to-be-trusted users is if it required a root/not user password. I don't want regular users doing ANYTHING requiring root permission. I do want to be able to run root tasks on their machines without having to log in myself or a root login with a separate root password.
Attachment: signature.asc
Description: This is a digitally signed message part.

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] AV software for Linux (sudo)
From: brent saner <brent.saner@gmail.com>

References:

Re: [PLUG] AV software for Linux (sudo)
From: JP Vossen <jp@jpsdomain.org>

Prev by Date: Re: [PLUG] AV software for Linux (sudo)

Next by Date: Re: [PLUG] AV software for Linux (sudo)

Previous by thread: Re: [PLUG] AV software for Linux (sudo)

Next by thread: Re: [PLUG] AV software for Linux (sudo)

Index(es):

Date

Thread