[PLUG] sudo to root question
Dan Roberts
Daniel.G.Roberts at sanofi-aventis.com
Fri Apr 25 17:20:37 UTC 2008
Thanks for the reply and note on my miss-configuration!
Might anyone be willing to offer what "root" like sudo commands you may
allow your power users to perform?
I am getting shredded on trying to implement a policy that says no one
is to have full sudo to root access..But I am also arguing that it is a
reasonable approach to all specific sudo to root acccess to a LIMITED
command subset..
What might be those command subset in your experience that seems
reasonable?
Thanks!
Dan
On Fri, 2008-04-25 at 09:23 -0700, Paul Heinlein wrote:
> On Fri, 25 Apr 2008, Dan Roberts wrote:
>
> > Hello All
> >
> > In the /etc/sudoers file snippet shown below...
> >
> > Could someone please explain the differences in consequence between
> > the two entries below..
> >
> > 1> droberts ALL = ALL
> > OR
> > 2> droberts ALL(ALL) = ALL
> >
> > I can't quite figure out what the difference in use or consequence
> > might be in either line..
>
> I think the second one is illegal. It should read
>
> droberts ALL = (ALL) ALL
>
> The "(ALL)" is what sudo calls the Runas_Spec, which consists of a
> Runas_List in parens. By default, the Runas_List is "root," but it's
> configurable.
>
> In the default configuration, there's not much practical difference
> between the two. In configuration #1, droberts would have to jump a
> hoop or two if he wanted to run a process as, e.g., the Apache user.
> Typically the hoop is navigated by using the su command:
>
> sudo su apache command
>
> A legal version of configuration #2, otoh, would mean he could do it
> directly, e.g.,
>
> sudo -u apache command
>
> The real power of the runas stuff becomes more apparent when you set
> runas_default to something other than root. In that case, you have to
> explicitly add root to your Runas_Spec.
>
More information about the PLUG
mailing list