Which way is correct to implement sudo

From: Manager (Manager_member_at_newsguy.com)
Date: 09/16/05

• Next message: Bhushan: "Re: Which way is correct to implement sudo"
• Previous message: Richard B. Gilbert: "Re: WARNING: /pci@1e,600000/ide@d/sd@0,0 (sd30)"
• Next in thread: Bhushan: "Re: Which way is correct to implement sudo"
• Reply: Bhushan: "Re: Which way is correct to implement sudo"
• Reply: Mike S.: "Re: Which way is correct to implement sudo"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: 15 Sep 2005 19:38:01 -0700

Hello

I am seeking advice from those very experienced with Sun's, Unix, webservers,
database servers, and setting up sudo in that kind of environment. My objective
is to ensure security, accountability, auditability, and minimize the impact of
human error.

I have a difference of opinion between two operational IT groups (one is systems
admin, the other is applications) regarding the best way to set up sudo.

I have a contracted systems admin service (a couple of people) managing 4
Solaris servers from a remote location normally (come in by VPN) They are
responsible for the operating system and hardware only. They are contracted
from a well established external company that has been around quite a while
providing IT services and support, and facilties management, but are new service
providers to us.

I also have an in-house applications group (again a couple of people - with some
additional contractors as needed). They are responsible for applications now,
but in the past provided direction and/or direct support on the hardware and
operating system for these systems.

The machines run production and test for apache (public web), and internal
application servers and databases (oracle, application servers like 9ias). Each
of the application software packages has its own dedicated account, e.g. oracle,
web, appservice1, etc.

The applications group needs the ability to run a few things with higher
privileges, e.g. need to be able to start and stop apache, and a number of other
things, hence the need for sudo. In the past they have had the root password,
and would su to root directly when higher priviledges were required, and then
back down to the relevant application account.

The systems admin group wants the application group to log onto the machines
(apps groups come in on the same subnet which is switched) using named accounts
e.g. based on their personal id (e.g. jbrown), then sudo su to the application
accounts as required. They have indicated that they wish the only the web
account (which owns and runs apache out to the public) to be the only account
that can sudo ALL under the concept of least priviledge. The indicate that they
are concerned about giving sudo ALL priviledge to the personal accounts for the
applications group in case that account is compromised.

The applications group want to log onto the machines under their personal named
account (e.g. jbrown), and have only those types of accounts given the
priviledge to sudo ALL, and have none of the generic application accounts like
"web".

In fact the applications group wants "everyone" to have to use sudo ALL from
only their own named account (both them and the system admin group) so that all
actions run with higher privileges are logged under sudo against the person who
ran the command. In the event that a machine goes into single user mode and a
root logon is required at the machine directly, root password would be in a
sealed envelope, secured, but available onsite.

Which of these ways to setup and implement sudo is best given the stated
objectives (from senior management) of security, accountability, auditability,
and minimizin the impact of human error?

I am looking for frank responses on this from experienced people.

Thanks in advance.

• Next message: Bhushan: "Re: Which way is correct to implement sudo"
• Previous message: Richard B. Gilbert: "Re: WARNING: /pci@1e,600000/ide@d/sd@0,0 (sd30)"
• Next in thread: Bhushan: "Re: Which way is correct to implement sudo"
• Reply: Bhushan: "Re: Which way is correct to implement sudo"
• Reply: Mike S.: "Re: Which way is correct to implement sudo"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages difference of opinion re: Sudo and security - 2 approaches ... the other is applications) regarding the best way to set up sudo. ... Solaris servers from a remote location normally They are ... I also have an in-house applications group (again a couple of people - with some ... back down to the relevant application account. ... (comp.security.unix) Re: difference of opinion re: Sudo and security - 2 approaches ... > The web account SHOULD NOT be able to sudo to anything but a helper script ... I'd've expected the webadmin role account to be different from the webdata ... > I'm using su1 instead of sudo, mostly because it's easier to find, compile ... (comp.security.unix) Re: Easy way/script to add another user like me? ... do to give a user sudo privileges is to add them to the admin group. ... I used my root account to add joker to the "admin group" via ... (Ubuntu) Re: S/Key keyinit(1) authentication (lack thereof) + sudo(1) ... S/Key keyinitauthentication + sudo ... > 4) Run sudo, and use the correct OTP to authenticate. ... access to a root level terminal, ... - have compromised the account of a system adminstrator or other ... (Bugtraq) Re: Error: 5 Access Denied - HELP ... must be inaccessible to members of the applications group. ... It would be best to place the semaphore file Start/StopService.flag ... >>> account be able to restart the services. ... Run the following command on each server: ... (microsoft.public.windows.server.general)

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint