You are not logged in.

#1 2016-06-19 08:38:33

dtw
Forum Fellow
From: UK
Registered: 2004-08-03
Posts: 4,439
Website

Hardening with sudo

I'm setting up a new box and have taken the time to think a bit more carefully about how I set up sudo. I've had a good read of the wiki and there's a neat hardening example (well, neat to the untrained eye). The "admin" user, and how "Joe" accesses that, I understand but I'm having a bit of trouble with the concept of the "devel" user.

It seems odd to have one user that can run pacman and has access to just a selection of config files in /etc. This seems arbitrary and hacky:

chown -R devel:root /etc/{http,openvpn,cups,zsh,vim,screenrc}

I know this is an example, so the choice of files is likely user dependant, but is it good practice to chown a bunch of configs like that? And why would you mess with zsh, vim or screenrc in /etc when they can all be configured on a per user basis? I'm assuming this is logical but I don't understand why.

Last edited by dtw (2016-06-19 08:38:49)

Offline

#2 2016-06-19 11:42:36

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: Hardening with sudo

I suppose the idea is to give "devel" the permission to edit /etc/{http,openvpn,cups,zsh,vim,screenrc} and install packages without even needing to invoke sudo, however I'd say "admin" would be more suited to be the one with permission to run pacman.


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#3 2016-06-20 13:16:37

dtw
Forum Fellow
From: UK
Registered: 2004-08-03
Posts: 4,439
Website

Re: Hardening with sudo

R00KIE wrote:

I suppose the idea is to give "devel" the permission to edit /etc/{http,openvpn,cups,zsh,vim,screenrc}

But why those files I wonder. I just looked at my bash history and I've never edited any of those files. I did discover (in the process) that being in the "log" group would have let me read syslogs without sudo.

R00KIE wrote:

I'd say "admin" would be more suited to be the one with permission to run pacman.

Me too.

I'll also add pon and poff to the NETWORK commands, paccache to PKGMAN. mkinitcpio needs to go in somewhere too.

Offline

#4 2016-06-20 15:28:05

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: Hardening with sudo

dtw wrote:
R00KIE wrote:

I suppose the idea is to give "devel" the permission to edit /etc/{http,openvpn,cups,zsh,vim,screenrc}

But why those files I wonder. I just looked at my bash history and I've never edited any of those files. I did discover (in the process) that being in the "log" group would have let me read syslogs without sudo.

I guess it can be taken as an example, or the person who wrote/edited that part of the wiki only needed to edit those files regularly.


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

Board footer

Powered by FluxBB