[NCLUG] Re: Who uses SUDO on production machines?
Sean Reifschneider
jafo at tummy.com
Sun Mar 18 19:33:28 MDT 2007
On Sun, Mar 18, 2007 at 10:08:25AM -0600, Bob Proulx wrote:
>Generally yes I always install and configure sudo. This means that
>the root password is not shared among the critical admins of the
You can't retract a shared root password without changing it. With sudo,
you can retract the root access of one particular individual without having
to exchange a root password with the remaining admins. For example, on the
python.org machines, we have many admins all over the globe, and so this
can get to be a big deal.
In this case we also like to have people log in as themselves and do sudo
so that we can detect who might have done something particular, in case we
have to track down a possibly compromised machine, or, more likely, a
mistake. Like the time one of the guys was on a python.org machine instead
of his laptop when he did "shutdown"...
I also use sudo extensively with "NOPASSWD" for administrative things that
I want regular users to have the ability to do, like on my laptop where I
may want to run "iwlist eth1 scan", I give myself the ability to run that
with NOPASSWD and wrap it in a little job that not only does the sudo for
me but also beautifies the output.
If I were to run a really security critical system, I'd probably set it up
so that gaining access to the root account wouldn't help, via SELinux.
Kevin has done this in the past, make the root account just a regular user
account. That is a *LOT* of work though. Most machines are not "security
critical" to this level.
However, it's probably not a bad idea to set up SSH to refuse root and
password authentication, "AllowUsers jafo proulx" and then give these users
sudo access. This gives them the ability without also giving attackers a
known login name they can try forcing.
Sean
--
> Sorry in advance for the idiocy... (Paul)
You don't have to give us an advance - we know you're good for it. (Mike)
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability
More information about the NCLUG
mailing list