![]() sudo adduser yourdeveloperuser web Then run sudo visudo -f /etc/sudoers.d/somefile (use a meaningful name instead of somefile ). admins aren't super savy hacker types, they mostly just use google and try the first 2 or 3 things they come across. Make a new group, web (call it what you wish) sudo addgroup web Add your developer (s) to the web group (use their login name). So yes I understand your recommendation, but in my particular situation, it isn't of great concern if they find another way to get a root shell, I'll just add it to the black list. One can run specific commands prefixed by sudo. It allows a user to act as a superuser and run commands accordingly. I trust them not to break things (too much), I just want there to be an audit trail of who ran what and when, when it comes to privileged commands.Ī black list of just a hand ful of items is sure easier to manage than a white list with thousands of things on it. It is the abbreviation for Super User DO. These are dev & test servers, not production. The Junior admins really need to have access to just about everything that root can do, because they need to manage things when I'm out on vacation or whatever, and they need to try things on their own and learn the systems. I'm the senior HP-UX admin here, and all the users that have sudo access are Junior admins, so we're all on the same team. Yes I realize that from a security standpoint, your recommendation is the best approach. Then make individual sudo rules to allow only the few things they actually need. ![]() The only holes in the configuration will be ones you open. ![]() ![]() Whenever they think of a new way to get root shells you haven't thought of, they will be able to do it.īlock everything by default. Like in a firewall, this opens not just a security hole but all possible security holes. The problem is the use of "default permit". ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |