You are not logged in.
Pages: 1
Hello,
I've just installed the "package" (?) sudo, and i would like to know how to properly configurate it? do you have any tips?
What should I avoid to do?
In the wiki page dedicated to sudo, category "entries", where should I enter the line
%wheel ALL=(ALL) ALL
In the configuration file of sudo (visudo)?
thanks for your help,
Red'
Offline
Offline
ok. Is it possible to change the name of the group?
Offline
do. not. allow. general. sudo. to. anyone. and. notably. not. groups.
There should probably be no sudo on a server at all, what are you trying to do?
Offline
If you want to give another group than `wheel` permission to run sudo, you could also add a line for that group to the sudoers file.
Otherwise, if you really want to rename the "traditional" `wheel` group to something else, you will need to modify /etc/sysusers.d/basic.conf (as `wheel` is created by systemd-sysusers). But I'm left wondering why you would want to do that...
do. not. allow. general. sudo. to. anyone. and. notably. not. groups.
Well, the `wheel` group is pretty much there for exactly that.
More generally, I use groups (among other things) to manage access to different resources for different users. I don't see why exactly this would be wrong.
Last edited by ayekat (2017-07-21 15:36:00)
Offline
Did you notice that he's operating a server?
There's nothing wrong with using groups to manage resource access (that's why they exist) but there's much wrong with global root access to anybody, because that's equivalent to a remote root shell option.
You can prefectly do that on your de-facto single user desktop system (I do that just as well)
I'd suggest to limit the commands available to wheel users to typical maintainance tasks on the machine (eg. restart services etc.), not random stuff - with the rare exception of a team of admins and the necessity to log each actions individually (but not for security reasons, because a root shell would allow to break the log)
Offline
Did you notice that he's operating a server?
Ah, I hadn't taken a look at their previous threads, you're right.
But sudo is still OK to be installed on a server, especially because it's there (if multi-user) where you get to appreciate its capability of configuring "who can run what" (per-user/per-group).
And whether you use `wheel` to give fewer users "absolute" power or more users limited plumbing powers is IMHO a matter of taste. I would probably create additional, specific groups for the latter, and reserve `wheel` for the very few (or none) who are allowed to run anything.
That being said, Redgard, would you mind stating your actual goal? Is it a multi-user server or just your personal little VPS?
Offline
The idea was:
%admin ALL=(ALL) ALL
The project is to have a server hosting multiple websites, a game server (minecraft PE) and if possible some bots for the vocal.
there would be 2 user groups:
My brother and I - I thought granting the sudo permission to a group named "admin" and disabled the root connection to secure a minimum the server
2 guys from my multigaming team - they would be added to the group "unigen" which has restricted access to the server limited to the folder /srv/http/unigen + some command (like restart)
I think to disallow normal connection to force ssh connection.
thanks for the help,
Red'
Last edited by Redgard (2017-07-21 18:35:27)
Offline
I think to disallow normal connection to force ssh connection.
Normal connection? Also have you compared the server's ssh configuration with Secure_Shell#Protection particularly if the server came with arch pre installed
so the package / configuration files may be none standard. Is root access to the server via ssh with a password currently allowed for instance?
Is there any particular reason you want to use the admin group instead of the wheel group?
By convention wheel is the group that denotes those allowed to become root and software configuration tends to follow that convention or be more easily configured to follow it.
Offline
I wanted to say disable normal authentification (by password) to use a connection/authentification with a SSH key.
For the admin group, the name is more intuitive and I don't know the specification of the group wheel. The goal is also to reuse the same nomenctature than the one used in the team, like this the others users don't loose their points of reference..
Last edited by Redgard (2017-07-22 16:51:24)
Offline
Pages: 1