note
arhuman
<em>Allowing Bob SUDO access to the box could be very very bad, if he truly is a problem. On the other hand, allowing Bob into the access group that can run the apache restart program via a suid bit, means that the only damage he can effectively do (besides erasing config files) is starting and stoping the web server; the rest of the box remains secure.</em><br>
<br>
Either I miss somthing either you ignore that sudo can be configured to grant <b>precise/limited</b> access to some prog.<br>
<br>
<code>
User_Alias WEBMASTERS = user1, user2, user3
User_Alias SYSADMINS = user3, user2
User_Alias DUMBUSERS = user4
# User privilege specification
root ALL=(ALL) ALL
WEBMASTERS www = NOPASSWD: /usr/sbin/apachectl
SYSADMINS wiz = NOPASSWD: /bin/wiz
DUMBUSERS blah = NOPASSWD: /bin/blah
</code><br>
Here I allow user1,user2,user3 (WEBMASTERS's sudo group) to use apachectl<br>
Here I allow user2,user3 (SYSADMINS's sudo group) to use the ueber-elite /bin/wiz command<br>
Here I allow user4 (DUMBUSERS's sudo group) to use the /bin/blah (I really don't trust him ;-)<br>
<br>
If an intruder compromise the user4 account he can't do more than executing /bin/blah.<br>
<br>
Sudo offer tons of other features (ask for passwd, execute under other UID...).<br>
You really should give it a try...<br>
<br>
<br>"<b>O</b>nly <b>B</b>ad <b>C</b>oders <b>C</b>ode <b>B</b>adly <b>I</b>n <b>P</b>erl" (OBC2BIP)<br>
139844
139859