TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
sudoers audit
Below is my suders file. The goal is to let users in group admin do basic
startup and shutdown stuff and manage passwords of users (but not root).
Does this look like a secure setup?
# User alias specification
User_Alias ADMIN = %admin
# Cmnd alias specification
Cmnd_Alias SHUTDOWN = /sbin/shutdown
Cmnd_Alias HALT = /sbin/halt
Cmnd_Alias REBOOT = /sbin/reboot
Cmnd_Alias RESTART = /etc/rc.d/init.d/httpd restart,
/etc/rc.d/init.d/junkbuster restart, /etc/rc.d/init.d/smb restart
Cmnd_Alias PASSWORD = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root,
!/usr/bin/passwd admin, !/usr/bin/passwd [users with admin access]
Cmnd_Alias USERCONTROL = /usr/sbin/useradd, /usr/sbin/userdel,
/usr/sbin/usermod
# User privilege specification
root ALL=(ALL) ALL
ADMIN ALL = NOPASSWD: SHUTDOWN, HALT, REBOOT, RESTART
ADMIN ALL = PASSWORD, USERCONTROL