Quote:
Originally Posted by
gsander
Some of it does make sense and it does help. I asked about the java they are using. they are using Sun One web server - actually building a web app for it. They want to deploy the application to the web server. I have created an account for them to use already. It is a member of the root group. That might be more than they need but this is the test server. I want to be more restrictive on production. Sudo might be the answer but I will need to read up on it a good bit. Should the developers use the same account that the web server runs under?
I would strongly suggest taking the sunone account out of the root group. Not only is it dangerous from a security point of view, one of the devs, could really muck things up.
developers should login as themselves, then "sudo" to the sun one account.
The sooner you start using security best practices the less pain it will be to convince developers and management why you should go this route. Enforce now and it will be easier on you. here is an example of the sudo configuration file, create a group for admins called envmqmt or whatever you like, create a group called dev and place all devs usernames in that group, then configure sudo as below(sudosh is another program that can track all user commands, it is used in conjunction with sudo)
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# sudoers file TE 19JUL
# edit: TE 19JUL07
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
User_Alias STAFF=%envmgt
User_Alias DEV=%dev
# Cmnd alias specification
# User privilege specification
root ALL=(ALL) ALL
STAFF ALL = NOPASSWD: /usr/bin/su - , /usr/local/bin/sudosh
DEV ALL = NOPASSWD: /usr/bin/su - sunone, /usr/local/bin/sudosh