http://www.perlmonks.org?node_id=139868


in reply to Re: Re: Re: Executing Root Commands from user level
in thread Executing Root Commands from user level

Allowing Bob SUDO access to the box could be very very bad, if he truly is a problem. On the other hand, allowing Bob into the access group that can run the apache restart program via a suid bit, means that the only damage he can effectively do (besides erasing config files) is starting and stoping the web server; the rest of the box remains secure.

Either I miss somthing either you ignore that sudo can be configured to grant precise/limited access to some prog.

User_Alias WEBMASTERS = user1, user2, user3 User_Alias SYSADMINS = user3, user2 User_Alias DUMBUSERS = user4 # User privilege specification root ALL=(ALL) ALL WEBMASTERS www = NOPASSWD: /usr/sbin/apachectl SYSADMINS wiz = NOPASSWD: /bin/wiz DUMBUSERS blah = NOPASSWD: /bin/blah

Here I allow user1,user2,user3 (WEBMASTERS's sudo group) to use apachectl
Here I allow user2,user3 (SYSADMINS's sudo group) to use the ueber-elite /bin/wiz command
Here I allow user4 (DUMBUSERS's sudo group) to use the /bin/blah (I really don't trust him ;-)

If an intruder compromise the user4 account he can't do more than executing /bin/blah.

Sudo offer tons of other features (ask for passwd, execute under other UID...).
You really should give it a try...


"Only Bad Coders Code Badly In Perl" (OBC2BIP)