Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security flaw... kindda!

Hi James, thanks for the reply and the concern. Anyhow I wasn't seeking a direct response with ways to fix this problem, rather I was just trying to bring this issue into attention by this forum, "kindda" like probing the general opinion about the danger it may present. Nevertheless your suggestion about the subadmins group is quite swell and I think I might try it, don't think I feel too comfortable any more with the knowledge that the root password can be changed as easily! Of course it stands to reason that the stock sudoers files is not the best security fit and should be tailored if there's any concern for it...

Again, thanks for the concern. Regards,...


Juan.


On Tuesday, April 29, 2003, at 10:36 PM, James Tolchard wrote:

When someone has admin access, you are effectively giving them ALL=(ALL) ALL
access for sudo, among other things. Personally I'd only be giving admin access
to people I trust.

Why not create a system group called something like "subadmins", add the desired
less-access-than-root-but-more-access-than-plebs people to that group, then
create a group specification in /etc/sudoers granting access to the specific
commands you would like them to be able to use.

The sudoers manpage has a good example on creating just such a tiered
administration scheme, using "full time admins", "part time admins" and
"webmasters" as examples of three different levels of superuser access required.
man sudoers for more information.

Cheers
James
_______________________________________________
macos-x-server mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macos-x-server
Do not post admin requests to the list. They will be ignored.


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.