Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Does anyone use sudo users for support staff?

Discussion in 'General Discussion' started by AbeFroman, Sep 29, 2004.

  1. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    318
    Does anyone use sudo users for support staff?
     
  2. laborspy

    laborspy Well-Known Member

    Joined:
    Feb 7, 2004
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    156
    I worked at an large east coast cable modem ISP that gave the tech support staff SUDO access to do simple commands on the mail server(useradd, passed, userdel). It worked out very well.
     
  3. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    318
    What is the easiest way to setup a sudo to only allow passwd and su to another user(but not root)
     
  4. laborspy

    laborspy Well-Known Member

    Joined:
    Feb 7, 2004
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    156
    Here is a good guide: http://www.linuxhelp.ca/guides/sudo/

    We had a problem when a person used SUDO to access su - into another user, funny story though, they did passwd with no user name .... they would chance the name of the root password and not know it. We'd have to drive to the location and reset the password.

    -Jason
     
  5. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    318
    LOL! Can you do a wildcard?
    sudoman ALL = /usr/bin/passwd *,!/usr/bin/passwd
     
    #5 AbeFroman, Sep 30, 2004
    Last edited: Sep 30, 2004
  6. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    166
    A security expert like your self should know how to setup sudo....
     
  7. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    318
    I get this error when trying to run sudo by my underpriviledged sudo user:
    "Sorry, sudo must be setuid root."

    It is safe to run chmod 4111 /usr/bin/sudo ?
     
  8. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    166
    Again i must say:

    If you are such the security expert you should know that.
     
  9. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    318
    bump......
     
  10. admin0

    admin0 Active Member

    Joined:
    Aug 11, 2002
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    151
    OK.
    login as root:

    visudo ENTER

    # Host alias specification

    # User alias specification -> define your support staff login names.
    User_Alias STAFF = staff1, staff2, staff3

    # Cmnd alias specification
    Cmnd_Alias STAFFCMD = /usr/bin/passwd [A-z]*, !/usr/bin/passwd, !/usr/bin/passwd root, \
    /bin/su [A-z]*, !/bin/su root, !/bin/su -

    # Defaults specification

    # User privilege specification
    root ALL=(ALL) ALL
    STAFF ALL = STAFFCMD
    #STAFF ALL = NOPASSWD: STAFFCMD

    :wq ENTER <- exit

    now, login as staff1 or staff2 or staff3.
    I recommend enforcing passwd for an extra security layer.
    else, you can use the NOPASSWD

    You can have sudo as 4111 or 4755


    Cheers,
     
  11. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    318
    Thanks you rule!!
     
Loading...

Share This Page