SUDO

[mark]

hike wrote:
> On Mon, Jun 29, 2009 at 3:49 PM, mark <m.roth2006 at rcn.com> wrote:
>> hike wrote:
>>> On Mon, Jun 29, 2009 at 10:16 AM, Mertens, Bram <mertensb at mazdaeur.com
>>> wrote:
>>>
>>>> I'd like to elaborate on this a bit.
>>>>
>>>> The intention of sudo is to allow specific users to execute specific
>>>> commands while keeping the root account locked down.  In addition sudo
>>>> provides a trace of which user executed which command in /var/log/secure
>>>> that can be used for auditing.
>>>>
>>>> The sudoers file should allow as little as possible to as few users as
>>>> possible!
>>>>
>>>> If you allow users to execute sudo su - with or without having to enter
>>>> the root password you gain nothing.  While working as root no actions
>>>> are logged and all log files can be edited to remove any trace of
>>>> "illegal" actions.
>> <snip>
>>> the op wants to hack the system and gain resources he has no
>>> authorization for. Or the managers don't want to share root password, say,
>>> with a contractor, who
>> they've hired as a sysadmin, but will only be there a few months, and they
>> don't want to have to change root passwords.
> 
> that is a distinction without a difference.
> 
> the op wants to hack the system and gain resources he has no authorization
> for.

You're completely wrong. If, in my example, the contractor is granted the
individual account, and group access to explicitly allow that - and it *is* a
specific specification in /etc/sudoers, it may be management's intent to have
them do it that way.

That was exactly the case for me on a recent contract. My managers told me to
do it that way.

So, it is both a distinction *and* a difference.

	mark