The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Does anyone use sudo users for support staff?

Discussion in 'General Discussion' started by AbeFroman, Sep 29, 2004.

  1. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Does anyone use sudo users for support staff?
     
  2. laborspy

    laborspy Well-Known Member

    Joined:
    Feb 7, 2004
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    I worked at an large east coast cable modem ISP that gave the tech support staff SUDO access to do simple commands on the mail server(useradd, passed, userdel). It worked out very well.
     
  3. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    What is the easiest way to setup a sudo to only allow passwd and su to another user(but not root)
     
  4. laborspy

    laborspy Well-Known Member

    Joined:
    Feb 7, 2004
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    Here is a good guide: http://www.linuxhelp.ca/guides/sudo/

    We had a problem when a person used SUDO to access su - into another user, funny story though, they did passwd with no user name .... they would chance the name of the root password and not know it. We'd have to drive to the location and reset the password.

    -Jason
     
  5. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    LOL! Can you do a wildcard?
    sudoman ALL = /usr/bin/passwd *,!/usr/bin/passwd
     
    #5 AbeFroman, Sep 30, 2004
    Last edited: Sep 30, 2004
  6. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    A security expert like your self should know how to setup sudo....
     
  7. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    I get this error when trying to run sudo by my underpriviledged sudo user:
    "Sorry, sudo must be setuid root."

    It is safe to run chmod 4111 /usr/bin/sudo ?
     
  8. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    Again i must say:

    If you are such the security expert you should know that.
     
  9. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    bump......
     
  10. admin0

    admin0 Active Member

    Joined:
    Aug 11, 2002
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    OK.
    login as root:

    visudo ENTER

    # Host alias specification

    # User alias specification -> define your support staff login names.
    User_Alias STAFF = staff1, staff2, staff3

    # Cmnd alias specification
    Cmnd_Alias STAFFCMD = /usr/bin/passwd [A-z]*, !/usr/bin/passwd, !/usr/bin/passwd root, \
    /bin/su [A-z]*, !/bin/su root, !/bin/su -

    # Defaults specification

    # User privilege specification
    root ALL=(ALL) ALL
    STAFF ALL = STAFFCMD
    #STAFF ALL = NOPASSWD: STAFFCMD

    :wq ENTER <- exit

    now, login as staff1 or staff2 or staff3.
    I recommend enforcing passwd for an extra security layer.
    else, you can use the NOPASSWD

    You can have sudo as 4111 or 4755


    Cheers,
     
  11. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Thanks you rule!!
     
Loading...

Share This Page