CentOS - Aug 2019 - Giving full administrator privileges through sudo on production systems

Hello,

Consider two following cases:

1. On production systems on television stations, a sysadmin give teens 
(remaja group, age 13 and older) full administrator privileges by adding 
this line to sudoers:

%remaja ALL=(ALL:ALL) ALL

Rationale: Almost all programs on the system can only be run by teens as 
root.

2. On production systems on tobacco factories, a sysadmin also give 
adults (age 18 and older, dewasa group) full administrator privileges by 
adding this line to sudoers:

%dewasa ALL=(ALL:ALL) ALL

Also, the sudo lecture file configured in sudoers (/etc/sudo.lecture) 
contain the following:

WARNING: I BROKE MY SYSTEM BECAUSE OF SUDO. CUSTOMER SERVICE: 
($a_random_phone_number)

Rationale: All programs on system can only be run by adults, because 
such programs might break system. However, instead of calling sysadmin 
when something breaks the system, adults can call customer service 
instead, which isn't qualified for system maintenance.

Based on above cases, is it OK to give group of random users full 
administrator privileges using sudo, by adding them to sudoers with ALL 
privileges? Should sudoers call customer service number instead of 
sysadmin when something breaks?

Cheers, Bagas

-- 
An old man doll... just what I always wanted! - Clara

Le 16/08/2019 ? 07:04, Bagas Sanjaya a ?crit?:
> Based on above cases, is it OK to give group of random users full
> administrator privileges using sudo, by adding them to sudoers with ALL
> privileges?
Short answer : this is VERY wrong.

Cheers,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'?glise - 30730 Montpezat
Site : https://www.microlinux.fr
Mail : info at microlinux.fr
T?l. : 04 66 63 10 32
Mob. : 06 51 80 12 12

On Aug 15, 2019, at 11:04 PM, Bagas Sanjaya <bagasdotme at gmail.com>
wrote:
> 
> Based on above cases, is it OK to give group of random users full
administrator privileges using sudo, by adding them to sudoers with ALL
privileges? Should sudoers call customer service number instead of sysadmin when
something breaks?
sudo is a tool for expressing and enforcing a site?s policies regarding
superuser privilege.

If your sudo configuration expresses and enforces those policies the way you
want it to, then the configuration is correct.  If it does not, then fix it.

sudo doesn?t tell you what your policies should be.

We can suggest policies to you, but not based only on the information you?ve
just given us.  To properly advise you, we?d need to know your threat models,
the risk assessments, and more.  In short, we?d have to become your system
administrators.

> On Aug 16, 2019, at 6:21 AM, Warren Young <warren at etr-usa.com>
wrote:
> 
> On Aug 15, 2019, at 11:04 PM, Bagas Sanjaya <bagasdotme at gmail.com>
wrote:
>> 
>> Based on above cases, is it OK to give group of random users full
administrator privileges using sudo, by adding them to sudoers with ALL
privileges? Should sudoers call customer service number instead of sysadmin when
something breaks?
> 
> sudo is a tool for expressing and enforcing a site?s policies regarding
superuser privilege.
> 
> If your sudo configuration expresses and enforces those policies the way
you want it to, then the configuration is correct.  If it does not, then fix it.
Incidentally, sudo stands for substitute user do. Meaning: executing something
as a different user. I keep repeading it to proficient Linux users who sometimes
need my help too, amazingly they all percieve it as a super user do, not as a
substitute user do. Even though ?man sudo? says in the first line: - execute a
command as another user?

Just mentioning.

Valeri
> sudo doesn?t tell you what your policies should be.
> 
> We can suggest policies to you, but not based only on the information
you?ve just given us.  To properly advise you, we?d need to know your threat
models, the risk assessments, and more.  In short, we?d have to become your
system administrators.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Why did you say it is wrong to give full admin privileges to random users?

-- 
An old man doll... just what I always wanted! - Clara