Re: SUDO vs root account question

[Jacob Bresciani <jacob () bresciani ca>]

answers below    


On Wed, 2005-03-23 at 10:47 +0200, Tahis Vera wrote:
> Hi all,
> I have two quick questions related to the 'sudo' command;
> putting a certain user Mr.X with ALL=(ALL)ALL permissions in the
> sudoers file, gives him COMPLETE root previleges? In other words, if I
> want that some people, for security reasons, stop using the root
> account/password for accessing the servers, by crating a sudo user
> with ALL previledges will decrease this risk? If this sudo account  is
> compromised, will the cracker have COMPLETE root previleges?
yes, try running `sudo su -`

Read through the man page to lead how to secure this as much as
possible.

It would also be better (in my mind) if there was no "group" user
account. Give the users access as required on a per user basis. Every
time sudo is run it gets logged telling me who did what using sudo and
failed attempts to run sudo logged and e-mailed to root (aliased to me).

> The other questions is how to set the time (in sudoers file) for the
> user to work with sudo, without having to write the password (let's
> say that I want to work for 20 minutes without having to write the
> password again)

according to the sudoers man page (on my amd64 debian system) 

timestamp_timeout
      Number of minutes that can elapse before sudo will ask for a
      passwd again.  The default is 15.  Set this to 0 to always prompt
      for a password.  If set to a value less than 0 the user's times-
      tamp will never expire.  This can be used to allow users to create
      or delete their own timestamps via sudo -v and sudo -k respec-
      tively

> regards
>
> Tahis

-- 
Jacob Bresciani
Etraffic Solutions
Systems / Network Administrator
BUS (250) 658-8238 ex 39
FAX (250) 658-5936