answers below
On Wed, 2005-03-23 at 10:47 +0200, Tahis Vera wrote:
Hi all,
I have two quick questions related to the 'sudo' command;
putting a certain user Mr.X with ALL=(ALL)ALL permissions in the
sudoers file, gives him COMPLETE root previleges? In other words, if I
want that some people, for security reasons, stop using the root
account/password for accessing the servers, by crating a sudo user
with ALL previledges will decrease this risk? If this sudo account is
compromised, will the cracker have COMPLETE root previleges?
yes, try running `sudo su -`
Read through the man page to lead how to secure this as much as
possible.
It would also be better (in my mind) if there was no "group" user
account. Give the users access as required on a per user basis. Every
time sudo is run it gets logged telling me who did what using sudo and
failed attempts to run sudo logged and e-mailed to root (aliased to me).
The other questions is how to set the time (in sudoers file) for the
user to work with sudo, without having to write the password (let's
say that I want to work for 20 minutes without having to write the
password again)
according to the sudoers man page (on my amd64 debian system)
timestamp_timeout
Number of minutes that can elapse before sudo will ask for a
passwd again. The default is 15. Set this to 0 to always prompt
for a password. If set to a value less than 0 the user's times-
tamp will never expire. This can be used to allow users to create
or delete their own timestamps via sudo -v and sudo -k respec-
tively
regards
Tahis
--
Jacob Bresciani
Etraffic Solutions
Systems / Network Administrator
BUS (250) 658-8238 ex 39
FAX (250) 658-5936
