And you might add a second bit to the line suggested below
%wheel ALL = (ALL) ALL, ! /usr/bin/su -
This should prevent someone from explicitly executing "sudo su -"
Of course, someone with sudo rights to ALL like this can easily get
around not being able to "sudo su -" in a dozen ways (like "sudo
/bin/ksh", etc.).
But the error message that comes back acts as a gentle reminder to be a
good citizen and not do things like that.
I recently found this well-written overview of how a user should think
about sudo (and not resent having to type "sudo" in front of everything)
https://cs.stanford.edu/doc/Systems/PrivilegedAccessPolicy
Freeman, Michael wrote on 9/18/2006 1:59 PM:
I agree. You can also leverage the 'wheel' group in sudo by first adding
everyone to the 'wheel' group then making a simple rule in your
sudoers.conf file like:
%wheel ALL = (ALL) ALL
This will let anyone in the 'wheel' group to have 'root' sudo
privileges.
-----Original Message-----
From: Fontanez Martin [mailto:Fontanez.Martin@pbgc.gov]
Sent: Monday, September 18, 2006 12:51 PM
To: Freeman, Michael; dubaisans dubai; focus-sun@securityfocus.com
Subject: RE: root group in solaris
Sudo is really the simplest and more robust solution. Also you can
track log info.
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Freeman, Michael
Sent: Monday, September 18, 2006 1:23 PM
To: dubaisans dubai; focus-sun@securityfocus.com
Subject: RE: root group in solaris
Typically you would add someone to the 'wheel' user group on a UNIX
system if you want them to have those privileges. You must make sure
that the tools you want users to have access to are also members of the
'wheel' group (chgrp), if it is not already setup that way by default.
http://en.wikipedia.org/wiki/Unix_security
http://www.onlamp.com/pub/a/bsd/2000/09/13/FreeBSD_Basics.html
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of dubaisans dubai
Sent: Monday, September 18, 2006 7:50 AM
To: focus-sun@securityfocus.com
Subject: root group in solaris
Hi,
I would like to give root user privileges to a set of OS administrators.
Everyone has individual user-ids on the system.
Currently they login with their personal ID and then SU to root. I donot
want to share root password with these many people.
I am thinking of adding all these users to the "root" group[GID 0].
Will it provide root-equivalent UID O access to these users. If not why
? Does the "root" group not have root user-id equivalent privileges?
Is it possible manually to make the GID 0 privileges equivalant of UID
O?
How else can I give these individual users root privileges - make all of
them UID 0 or something.? Is that a smart idea?
I am looking at something simpler than SUDO or RBAC
