Bagas Sanjaya
2019-Aug-16 05:04 UTC
[CentOS] Giving full administrator privileges through sudo on production systems
Hello, Consider two following cases: 1. On production systems on television stations, a sysadmin give teens (remaja group, age 13 and older) full administrator privileges by adding this line to sudoers: %remaja ALL=(ALL:ALL) ALL Rationale: Almost all programs on the system can only be run by teens as root. 2. On production systems on tobacco factories, a sysadmin also give adults (age 18 and older, dewasa group) full administrator privileges by adding this line to sudoers: %dewasa ALL=(ALL:ALL) ALL Also, the sudo lecture file configured in sudoers (/etc/sudo.lecture) contain the following: WARNING: I BROKE MY SYSTEM BECAUSE OF SUDO. CUSTOMER SERVICE: ($a_random_phone_number) Rationale: All programs on system can only be run by adults, because such programs might break system. However, instead of calling sysadmin when something breaks the system, adults can call customer service instead, which isn't qualified for system maintenance. Based on above cases, is it OK to give group of random users full administrator privileges using sudo, by adding them to sudoers with ALL privileges? Should sudoers call customer service number instead of sysadmin when something breaks? Cheers, Bagas -- An old man doll... just what I always wanted! - Clara
Nicolas Kovacs
2019-Aug-16 05:53 UTC
[CentOS] Giving full administrator privileges through sudo on production systems
Le 16/08/2019 ? 07:04, Bagas Sanjaya a ?crit?:> Based on above cases, is it OK to give group of random users full > administrator privileges using sudo, by adding them to sudoers with ALL > privileges?Short answer : this is VERY wrong. Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32 Mob. : 06 51 80 12 12
Warren Young
2019-Aug-16 11:21 UTC
[CentOS] Giving full administrator privileges through sudo on production systems
On Aug 15, 2019, at 11:04 PM, Bagas Sanjaya <bagasdotme at gmail.com> wrote:> > Based on above cases, is it OK to give group of random users full administrator privileges using sudo, by adding them to sudoers with ALL privileges? Should sudoers call customer service number instead of sysadmin when something breaks?sudo is a tool for expressing and enforcing a site?s policies regarding superuser privilege. If your sudo configuration expresses and enforces those policies the way you want it to, then the configuration is correct. If it does not, then fix it. sudo doesn?t tell you what your policies should be. We can suggest policies to you, but not based only on the information you?ve just given us. To properly advise you, we?d need to know your threat models, the risk assessments, and more. In short, we?d have to become your system administrators.
Valeri Galtsev
2019-Aug-16 13:01 UTC
[CentOS] Giving full administrator privileges through sudo on production systems
> On Aug 16, 2019, at 6:21 AM, Warren Young <warren at etr-usa.com> wrote: > > On Aug 15, 2019, at 11:04 PM, Bagas Sanjaya <bagasdotme at gmail.com> wrote: >> >> Based on above cases, is it OK to give group of random users full administrator privileges using sudo, by adding them to sudoers with ALL privileges? Should sudoers call customer service number instead of sysadmin when something breaks? > > sudo is a tool for expressing and enforcing a site?s policies regarding superuser privilege. > > If your sudo configuration expresses and enforces those policies the way you want it to, then the configuration is correct. If it does not, then fix it.Incidentally, sudo stands for substitute user do. Meaning: executing something as a different user. I keep repeading it to proficient Linux users who sometimes need my help too, amazingly they all percieve it as a super user do, not as a substitute user do. Even though ?man sudo? says in the first line: - execute a command as another user? Just mentioning. Valeri> sudo doesn?t tell you what your policies should be. > > We can suggest policies to you, but not based only on the information you?ve just given us. To properly advise you, we?d need to know your threat models, the risk assessments, and more. In short, we?d have to become your system administrators. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Apparently Analagous Threads
- Giving full administrator privileges through sudo on production systems
- Giving full administrator privileges through sudo on production systems
- Replacing kernel-headers with custom compiled version (from kernel.org) - safe?
- Giving full administrator privileges through sudo on production systems
- Replacing kernel-headers with custom compiled version (from kernel.org) - safe?