Think about Loose Coupling | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
Allowing Bob SUDO access to the box could be very very bad, if he truly is a problem. On the other hand, allowing Bob into the access group that can run the apache restart program via a suid bit, means that the only damage he can effectively do (besides erasing config files) is starting and stoping the web server; the rest of the box remains secure.
Either I miss somthing either you ignore that sudo can be configured to grant precise/limited access to some prog.
Here I allow user1,user2,user3 (WEBMASTERS's sudo group) to use apachectl Here I allow user2,user3 (SYSADMINS's sudo group) to use the ueber-elite /bin/wiz command Here I allow user4 (DUMBUSERS's sudo group) to use the /bin/blah (I really don't trust him ;-) If an intruder compromise the user4 account he can't do more than executing /bin/blah. Sudo offer tons of other features (ask for passwd, execute under other UID...). You really should give it a try... "Only Bad Coders Code Badly In Perl" (OBC2BIP) In reply to Re: Re: Re: Re: Executing Root Commands from user level
by arhuman
|
|