[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [SAGE] Security tokens
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Content-Type: text/plain; charset=us-ascii
In message <15240000.1043170053@jxh.mirapoint.com>, Jim Hickstein writes:
>>> And yes, certain things (like "sudo /bin/sh") are considered <i>prima
>>> facie</i> acts of wrongdoing, meaning that I can convince HR to take
>>> steps.
>>
>> Why? If that function works, it must be because you allowed it.
>
>Because it defeats sudo's auditing. This is for sysadmins generally, where
>sudo ALL=ALL is considered slightly better than handing out the (reusable)
>root password to a bunch of people.
We try to use sudo for sysadmin tasks here too, but you need to make sure that
your policy is flexible enough to deal with the specifics of your systems as
well. We discourage the use of "sudo <shell>" because it breaks auditing, but
we have to use it from time to time when we need to glob through a set of
non-world readable/executable directories. Our policy recognizes that when
your working on the mail system, "sudo <shell>" is usually okay, although if
you're always using it, that's something to look at.
- --
Ted Cabeen http://www.pobox.com/~secabeen ted@impulse.net
Check Website or Keyserver for PGP/GPG Key BA0349D2 secabeen@pobox.com
"I have taken all knowledge to be my province." -F. Bacon secabeen@cabeen.org
"Human kind cannot bear very much reality."-T.S.Eliot cabeen@netcom.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE+LYntoayJfLoDSdIRAkU+AKCH7XwSj0qDGVG53FwXXTY35AjJhwCgjiTu
25oQRkC6XnKMgWHLWhDOanQ=
=Smjh
-----END PGP SIGNATURE-----