Date: Wed, 4 Oct 2000 21:37:15 -0700 From: "Robert Shea" <robert.shea@onlinecables.com> To: <questions@FreeBSD.ORG> Subject: Re: Securing SU Message-ID: <002001c02e85$f0937ea0$91c1ce3f@lola> References: <14811.60575.915025.704286@guru.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Dan Mahoney, System Admin writes: > > On Wed, 4 Oct 2000, roman wrote: > > > > > > I was wondering if there was a way to configure su so that it would > > > > disallow a user access if they're telnetted in. (but, say, allow them if > > > > they have sshed in). > > > what about sudo? > > > better than su, because you get to control who gets to do what as root. > > Oh, I have four people who have root, and need it. My web guy, my cgi > > guy, myself and my assistant...All of us need full root, and all are > > trusted (in fact one is a cousin and one is a fiancee). > > Looks like a web server. If it's internet and not intranet, turning > off telnet should have been before it went production. I wouldn't be > surprised if those were the only four people who needed access to the > machine, which makes that straightforward. > > Since I'm on the soapbox, I have to wonder why the web & cgi guys need > root access. The web stuff should all be owned by some user (not root) > (or group). Access to that user (group) should be all they need - > except for stopping and starting the server (damn Unix "privileged > ports"). The latter is an ideal use for sudo. I've set up this kind of > thing for outside contractors doing development on boxes I was > responsible for. Yes, they bitched about it, and yes, it was a bit > more work for me to set up - but I slept better at night knowing the > clowns in question could only screw up *their* stuff. > > <mike I agree... the web guy and the cgi guy don't need root access at all. to solve the starting/stopping the server thing... either run the server on port 8000 (or such) and map it to 80... or just write a suid script to do it for you. Remember... no one is 100% secure in their practices (as evidence by the telnet/su problem in the first place) so as you increase you number of super users you consequently greatly decrease your security. (as mistakes in this case are 4 times more likely then having a single root user) Robert Shea "Ophelia you made me cry, guess that's why I learned to swim." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002001c02e85$f0937ea0$91c1ce3f>