Comments on: Linux Tips: The proper way to allow regular users to run commands as root http://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/ The Journal Of A Linux Sysadmin Thu, 09 Feb 2012 03:50:59 +0000 hourly 1 http://wordpress.org/?v=3.3 By: johnhttp://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/comment-page-1/#comment-179863 john Sun, 15 Mar 2009 09:04:37 +0000 http://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/#comment-179863 100 Linux Tips and Tricks are available here http://pretty-sharp.blogspot.com/search/label/100%20Linux%20Tips%20and%20Tricks 100 Linux Tips and Tricks are available here
http://pretty-sharp.blogspot.com/search/label/100%20Linux%20Tips%20and%20Tricks

]]> By: OpsGuyhttp://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/comment-page-1/#comment-178427 OpsGuy Tue, 05 Aug 2008 21:30:19 +0000 http://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/#comment-178427 What you Security zealots don't realize it that Operations or Application admins need to get work done in a timely fashion. You guy put so much effort into limiting what can be done on a system, that the system is almost impossible to use for being proxied by sudo or other root shells.How about making the system usable again, by posting a way to have all commands logged even if someone has run a shell inside Sudo?C'mon..make yourselves useful and figure this out, instead of saying over and over..'no you cant do that'. What you Security zealots don’t realize it that Operations or Application admins need to get work done in a timely fashion. You guy put so much effort into limiting what can be done on a system, that the system is almost impossible to use for being proxied by sudo or other root shells.

How about making the system usable again, by posting a way to have all commands logged even if someone has run a shell inside Sudo?

C’mon..make yourselves useful and figure this out, instead of saying over and over..’no you cant do that’.

]]> By: ketanhttp://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/comment-page-1/#comment-178418 ketan Sat, 02 Aug 2008 04:55:52 +0000 http://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/#comment-178418 plz, any budy help me give the command for lunix and unix in very easyest form thanks plz, any budy help me give the command for lunix and unix in very easyest form
thanks

]]> By: Lokesh Bishthttp://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/comment-page-1/#comment-50264 Lokesh Bisht Sat, 09 Jun 2007 03:16:43 +0000 http://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/#comment-50264 ya i think linux is so lovely operating system and so interested for work. This site make help for many people who interested in linux operating system and work it. this site give so many documentation about linux command and script for use and gain your knowlege yourself............ ya i think linux is so lovely operating system and so interested for work. This site make help for many people who interested in linux operating system and work it. this site give so many documentation about linux command and script for use and gain your knowlege yourself…………

]]> By: Mark’s (we)Blog » Running sudo as a standard user in Mac OS Xhttp://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/comment-page-1/#comment-26965 Mark’s (we)Blog » Running sudo as a standard user in Mac OS X Wed, 21 Mar 2007 22:55:58 +0000 http://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/#comment-26965 [...] I could edit /etc/sudoers (the guide at MDLog:/sysadmin gives a good introduction to sudo) but I don’t know what security holes I might open in the process. One workaround is to enable the root account and use ssh root@localhost but enabling root access is really an unnecessary step. Instead, I prefer to use su - adminaccountname, after which I can sudo the appropriate command(s) and exit to return to a standard shell. [...] [...] I could edit /etc/sudoers (the guide at MDLog:/sysadmin gives a good introduction to sudo) but I don’t know what security holes I might open in the process. One workaround is to enable the root account and use ssh root@localhost but enabling root access is really an unnecessary step. Instead, I prefer to use su – adminaccountname, after which I can sudo the appropriate command(s) and exit to return to a standard shell. [...]

]]> By: Mark’s (we)Blog » sudo as a standard user in Mac OS Xhttp://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/comment-page-1/#comment-26896 Mark’s (we)Blog » sudo as a standard user in Mac OS X Wed, 21 Mar 2007 18:53:33 +0000 http://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/#comment-26896 [...] I could edit /etc/sudoers (the guide at MDLog:/sysadmin gives a good introduction to sudo) but I don’t know what security holes I might open in the process. One workaround is to enable the root account and use ssh root@localhost but enabling root access is really an unnecessary step. Instead, I prefer to use su - adminaccountname, after which I can sudo the appropriate command(s) and exit to return to a standard shell. [...] [...] I could edit /etc/sudoers (the guide at MDLog:/sysadmin gives a good introduction to sudo) but I don’t know what security holes I might open in the process. One workaround is to enable the root account and use ssh root@localhost but enabling root access is really an unnecessary step. Instead, I prefer to use su – adminaccountname, after which I can sudo the appropriate command(s) and exit to return to a standard shell. [...]

]]> By: polarizerhttp://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/comment-page-1/#comment-149 polarizer Wed, 31 May 2006 06:49:25 +0000 http://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/#comment-149 One could try to combine rsync and chroot to circumvent the security impact of filesystem wide rsync access while running it as root-sudoer.just my 2cent polarizer One could try to combine rsync and chroot to circumvent the security impact of filesystem wide rsync access while running it as root-sudoer.

just my 2cent
polarizer

]]> By: agaragarhttp://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/comment-page-1/#comment-102 agaragar Wed, 24 May 2006 09:25:01 +0000 http://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/#comment-102 A better example of sudo use might be cdrecord. A better example of sudo use might be cdrecord.

]]> By: - Marius -http://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/comment-page-1/#comment-99 - Marius - Tue, 23 May 2006 17:26:45 +0000 http://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/#comment-99 Dear plugh,You are correct. I have not understood your point initially, but you are correct, if you allow the user to run all the commands as root, then obviously logging can be disabled by a user that intends to do that. Thanks for pointing that out, and sorry if I have not understood you in the first place.Of course that from the security point of view the administrator must be very careful on what commands he enables for his users to run as root. Dear plugh,

You are correct. I have not understood your point initially, but you are correct, if you allow the user to run all the commands as root, then obviously logging can be disabled by a user that intends to do that. Thanks for pointing that out, and sorry if I have not understood you in the first place.

Of course that from the security point of view the administrator must be very careful on what commands he enables for his users to run as root.

]]> By: plughhttp://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/comment-page-1/#comment-98 plugh Tue, 23 May 2006 16:01:42 +0000 http://www.ducea.com/2006/05/19/linux-tips-the-proper-way-to-allow-regular-users-to-run-commands-as-root/#comment-98 In reply to""To plugh… Of course that this will depend on the commands you are allowing the users to run. If you are concerned about the logging then there are other ways to log the commands like snoopylogger for example."Please re-read the paragraph I quoted. You claimed "the ability to run some (or all) commands"..."And all the commands will be logged for your reference." As I pointed out, this is simply not true. If you give access to "(or all) commands" as you state, the logging can be defeated. The fact that you can run ANOTHER program like "snoop" to make up for this hole in sudo does not mean that that sudo's logging can't be defeated. You can use commands like snoop to monitor su as well as sudo.I would not advise anyone to use sudo based on the claim that it logs all commands when you allows the user access to all commands. It simply is NOT TRUE. If you understood sudo and wanted to give out ACCURATE information to your readers, you would have pointed out this vulnerability to your readers and you would not try to make imply that "snoop" some how means that this vulnerability does not exist in sudo. In reply to”

“To plugh… Of course that this will depend on the commands you are allowing the users to run. If you are concerned about the logging then there are other ways to log the commands like snoopylogger for example.”

Please re-read the paragraph I quoted. You claimed “the ability to run some (or all) commands”…”And all the commands will be logged for your reference.” As I pointed out, this is simply not true. If you give access to “(or all) commands” as you state, the logging can be defeated. The fact that you can run ANOTHER program like “snoop” to make up for this hole in sudo does not mean that that sudo’s logging can’t be defeated. You can use commands like snoop to monitor su as well as sudo.

I would not advise anyone to use sudo based on the claim that it logs all commands when you allows the user access to all commands. It simply is NOT TRUE. If you understood sudo and wanted to give out ACCURATE information to your readers, you would have pointed out this vulnerability to your readers and you would not try to make imply that “snoop” some how means that this vulnerability does not exist in sudo.

]]>