Login or Register to Ask a Question and Join Our Community


UNIX for Dummies Questions & Answers

Sudoers for one day per week?

 
Thread Tools Search this Thread
Top Forums UNIX for Dummies Questions & Answers Sudoers for one day per week?
# 8  
Old 03-29-2014
Often I see people offer complicated solutions and advice for problems that can be solved with simple solutions.

Simple solutions are mostly easier to maintain than complicated solutions.
# 9  
Old 03-31-2014
Quote:
Originally Posted by alan
At least, the majority of users should not be able to use vi, cp, mv and rm.
I think you are doing that from the wrong end. Let us take a step back:

There are certain files which are pertinent to the proper operation of the system: operating system binaries, libraries, vital configuration files, ... To identify these seems like a lot of work, but the UNIX filesystem hierarchy, if properly used, will assist by concentrating these vital things into a few directories. Identify all these files/directories. "Normal" users should not have write access to any of these files/directories. Still, every user should be able to modify his own files/directories. Taking away access to "vi" seems like a good idea, but you take away the ability to even take a note with it - and you would have to take away a lot of other commands too, which can modify a file too: dd, cat, ed, ex, cp, paste, join, sort, echo, print, printf, sed, awk, ... this list is endless.

Instead of limiting the tools to modify files it is better to limit the access to the filesy themselves. As long as you are not allowed to modify fileX it doesn't matter if you try to do it with "vi" or any other tool.

Another aspect: you can limit the privilege to modify vital files to certain people but you can't make these behave more responsible by a security measure. In every scenario there will be at least one person who is allowed to wreak havoc on the system. The privilege to use comes always with the privilege to misuse - because the system cannot separate legit and illegitimate use of a resource at all. In a nutshell: you cannot prevent root from being root.

This is the reason why "Sysadmin" is a job usually done by a very small select group of people - specially trained and qualified for the job - and all the others are limited to a small part of the system. Still, even for these goes: if you can use something it is within your power to misuse it and if you are the admin for the "foo" software and can edit its config files you can perhaps misconfigure it in a way that it won't start, won't be accessible or won't work properly in some other respect.

I hope this helps.

bakunin
# 10  
Old 03-31-2014
Something else worth bearing in mind - sudo root access to commands that provide built-in shell execution (like vim or less) is actually root access to everything.
# 11  
Old 03-31-2014
.. and sudo has a log file so you can audit what users are doing...

Security is based on three types of controls... logical (technical), administrative (rules and policies) and physical controls; and it a combination of these three facets of security that create a security policy.

Example:
  • Policy that employees can only do "this" and "that" or else may risk being fired from job. (administrative control)
  • sudo configuration that restrict access and log actions (logical, technical controls)
  • Log sudo actions to read only media that is located in a locked area (logical + physical controls).

Normally, it is not cost effective nor prudent to only rely on logical controls.

It's kind of like (well, almost exactly like) your car. Your car can (maybe) drive up to speeds of 200 miles per hour, but the law says you can only drive 60 miles per hour (example). So, the control is administrative (not logical) and there are some physical controls as well; for example if you try to go around a curve at 200 miles per hour, you will fly off the road.

Computer security is based on three controls... logical, physical and administrative and there can be myriad combinations of these three control areas based on the risk profile to create an effective security policy.

In this thread, we have only discussed a few logical controls, we have not discussed administrative or physical controls and we have not examined the risk profile (vulnerability, threat, and criticality); these areas need to be examined before keying in on the right combination of controls.
This User Gave Thanks to Neo For This Post:
rbatte1
# 12  
Old 03-31-2014
Quote:
Originally Posted by Neo
Yes, this can be a good idea.

I suggest you write a cron script that copies sudoers files with different configurations.

For example you create an sudoers file that does not permit sudoers (if that is what you want) and then keep that file in place (but make a copy); then on "Monday" for example, copy your current sudoers file in place which permits sudoers.

Then when Monday is "over" then copy your restrictive sudoers file in place.

This method can be very effective and you can control how users su "by the minute" if that pleases you. You can create any combination of permissions in sudoers files and move these files in and out of place as you like.
Interesting approach. sudo complains if you edit its file by outside means however -- how does one avoid this?
# 13  
Old 03-31-2014
I understood Neo's approach as what I used to do with my HP servers when passing from transactional (day) to batch mode (night) by swapping kernels..., that means having different configured sudoers you exchange depending of context...
# 14  
Old 03-31-2014
I don't have any problems using vi to edit the sudoers file. You can create multiple copies , edit them, and user the root crontab to move the config file in and out as the security policy requires.

Crontab also warns against using vi directly, but that has not stopped me from vi'ing the crontab files directly for decades.
Sudoers for one day per week?-screen-shot-2014-03-31-112727-pmpng
 
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Get the week's day

Hi All, I have the below requirement , if i give the week number for ex 41 i need to get the date for Monday and thursday for this given week. my expected output is 13/10/2014 (Monday's date) and 16/10/2014 (Thursday's date) I am using GNU LINUX . Pls help me with your thoughts. Thanks in... (7 Replies)
Discussion started by: mohanalakshmi
7 Replies

2. HP-UX

Find Day of Week

In HP-UX the date command does not have the "-d" switch like some other *nixes do. I'm working a simple script to tell me, given the day, month and year what day of the week that falls on. Assuming valid day, month and year input (I'd perform quality checks on the input separately, but not... (5 Replies)
Discussion started by: rwuerth
5 Replies

3. UNIX for Dummies Questions & Answers

Day of the week from a string

Hi All, I need to know how to derive the day of the week by passing the value in following format: Feb 28 2010 The output I'm expecting is Sunday or Sun. I know, I can use the following code to get the day of the week. date +%a But I want to pass the value as a string. Please help... (11 Replies)
Discussion started by: shash
11 Replies

4. Shell Programming and Scripting

Get day of week from cal

Hi all, I am trying to get dow from cal using below script #! /bin/bash YEAR=`echo $1 | cut -c 1-4` MONTH=`echo $1 | cut -c 5-6` DAY=`echo $1 | cut -c 7-8` for i in 1 2 3 4 5 6 7 do dayofweek=`cal $MONTH $YEAR | awk '$i == $DAY {printf("%s","$i")}'` echo $dayofweek... (4 Replies)
Discussion started by: bzylg
4 Replies

5. UNIX and Linux Applications

Day of week different in windows and Linux

Hi all, My program is getting date from database (oracle) and am getting that date's day of week also. In windows its giving one number and different in linux ;) For Example: 30 - Jun - 2009 Am getting 2 in windows and 3 in Linux. Am not understanding whats going wrong.. Am... (3 Replies)
Discussion started by: rajinavaneethan
3 Replies

6. HP-UX

Get Day of Week from date

Hi All, I have date in string format 'YYYY-MM-DD'. I want to know day of the week for this date. Example. For '2005-08-21' my script should return '0' or Sunday For '2005-08-22' it should return '1' or Monday I want piece of code for HP-UX korn shell. Appreciate reply on this. (5 Replies)
Discussion started by: vpapaiya
5 Replies

7. UNIX for Dummies Questions & Answers

Changing First Day Of The Week?

Hi All, Our system is running on Solaris 8 and we are using US locale. By default the First Day Of Week is Sunday, is it possible for us to change it to Monday? I have googled it but found very little of use. THanks in advance. (2 Replies)
Discussion started by: fowlerleftfoot
2 Replies

8. Shell Programming and Scripting

Yesterday's Day of week

I need o get yesterday's day of week but im not exactly sure. the actual name is what i want. I can do it with numbers but im not sure with words. (3 Replies)
Discussion started by: rcunn87
3 Replies

9. Programming

Function that gets the day of the week (0-6) ??

Hi , I am working at Unix system,using c lang. I need c fun which return the day of the week . For example : 0- Sunday. 1- Monday. .... 10x. (4 Replies)
Discussion started by: kamil
4 Replies

10. UNIX for Dummies Questions & Answers

Calculating the day of the week

Hi all, I would like to calculate the day of the week using a supplied date. i.e. 20011012 = Day 5. Any ideas? Many thanks, ligs (4 Replies)
Discussion started by: ligs
4 Replies
Login or Register to Ask a Question