On Wed, Sep 12, 2012 at 08:54:02AM -0400, Jiri B wrote: > On Wed, Sep 12, 2012 at 08:24:13AM +0100, Stuart Henderson wrote: > > On 2012/09/11 20:58, Michael W. Lucas wrote: > > > Hi, > > > > > > I'm attempting to permit a group of otherwise-unprivileged users to > > > build packages via sudo. You can see a post on my efforts at > > > http://blather.michaelwlucas.com/archives/1421 > > > > Cmnd_Alias PORTBUILDCMDS = /usr/bin/install, /usr/sbin/chown, /bin/chgrp, > > /bin/sh -c umask, /usr/sbin/mtree, /usr/bin/touch, /usr/bin/env, > > /usr/sbin/pkg_create, /bin/rm -f /home/ports/pkgrepo/*, /usr/bin/make, > > /usr/bin/perl /usr/ports/infrastructure/bin/*, /bin/chmod 555 > > /home/ports/*, /bin/mkdir -p /home/ports/*, /bin/rm -rf /home/ports/* > > > > I think it's safer to actually give people root - that way, at least > > you know that you're giving them root. > > > > sudo /usr/bin/install -o root -m 4755 /bin/ksh /bin/foobar > > This was my first WOW then I had seen that Cmnd_Alias line.
I'm less concerned about minions deliberately trying to get root than them preventing accidents. Can they leverage these privileges into root? Sure. But that demonstrates malice aforethought, which gives me grounds for HR/administrative action. If an intruder can GET to this machine, well, we have enough root compromises elsewhere that one more won't matter... ==ml -- Michael W. Lucas http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Latest book: SSH Mastery http://www.michaelwlucas.com/nonfiction/ssh-mastery mwlu...@michaelwlucas.com, Twitter @mwlauthor
