[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] Security tokens

To: Ted Cabeen <secabeen@pobox.com>
Subject: Re: [SAGE] Security tokens
From: Steve Simmons <scs@lokkur.dexter.mi.us>
Date: Tue, 21 Jan 2003 13:19:30 -0500
Cc: Jim Hickstein <jxh@jxh.com>, Dave Close <dave@compata.com>, sage-members@usenix.org
In-Reply-To: <20030121175701.4941DA1@gray.impulse.net>
References: <15240000.1043170053@jxh.mirapoint.com> <200301210117.RAA10206@biz.compata.com> <20030121175701.4941DA1@gray.impulse.net>
Sender: owner-sage-members@usenix.org
User-Agent: Mutt/1.4i

On Tue, Jan 21, 2003 at 09:57:01AM -0800, Ted Cabeen wrote:

> We try to use sudo for sysadmin tasks here too, but you need to make sure that
> your policy is flexible enough to deal with the specifics of your systems as
> well.  We discourage the use of "sudo <shell>" because it breaks auditing, but
> we have to use it from time to time when we need to glob through a set of
> non-world readable/executable directories.

Op is your friend.  It's like sudo in many ways, but lets you take much
finer grain control.  For example, on my home machine anyone in group
'family' was able to do 'op shutdown' or 'op reboot' and reset the system.
See ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/op/op-1.11.tar.gz.
The tarball contains a paper about op, a man page, and sample config files
as well as the source.

Configuration can occasionally be difficult, depending on how subtle you
want to get.  But it's much much safer than permitting "sudo <shell>".

References:
- Re: [SAGE] Security tokens
  - From: Jim Hickstein <jxh@jxh.com>
- Re: [SAGE] Security tokens
  - From: Dave Close <dave@compata.com>
- Re: [SAGE] Security tokens
  - From: Ted Cabeen <secabeen@pobox.com>

Prev by Date: Re: [SAGE] Security tokens
Next by Date: Re: [SAGE] NetApp--spindles vs. performance
Prev by thread: Re: [SAGE] Security tokens
Next by thread: [SAGE] wither NAME_MAX?
Index(es):
- Date
- Thread