Commit | Line | Data |
---|---|---|
5fc6de27 MW |
1 | ### -*-conf-*- |
2 | ### sudoers file for distorted.org.uk | |
3 | ### | |
4 | ### This file is maintained on ibanez: edit it there and run `update-slaves'. | |
5 | ||
6 | ###-------------------------------------------------------------------------- | |
7 | ### Thoughts. | |
8 | ### | |
9 | ### I'm not using `sudo' to give people limited access to privileged | |
10 | ### commands. That's a mug's game, and anyway `userv' does it better. | |
11 | ### So I'm not going to try to restrict what administrators can do. | |
12 | ||
13 | ###-------------------------------------------------------------------------- | |
14 | ### Defaults. | |
15 | ||
16 | ## The `authentication' -- making people type in their passwords -- will | |
17 | ## only thwart an unimaginitive attacker. We have to face up to the fact | |
18 | ## that `sudo' basically deals in `at-least-as-powerful-as' relationships: | |
19 | ## if Alice can `sudo' to Bob, then Alice is at least as powerful as Bob, | |
20 | ## and all of the molly guards and password typing won't help that. | |
21 | Defaults !authenticate | |
22 | ||
23 | ## Again, with the idea that we're trusting the calling users, we don't | |
24 | ## to scrub the environment. | |
25 | Defaults !always_set_home, !env_reset, !secure_path | |
26 | ||
27 | ## Allow any editor with `visudo'. The idea that allowing a user to edit | |
28 | ## the `sudoers' file is OK but letting him choose which editor he uses | |
29 | ## isn't is obviously crazy. After all, he can change the editor list | |
30 | ## if he likes. | |
31 | Defaults env_editor | |
32 | ||
33 | ## Don't spam me with reports of people being turned away. I have logs for | |
34 | ## that. | |
35 | Defaults !mailto | |
36 | ||
37 | ## I'm going to assume that administrators already know how to behave | |
38 | ## responsibly. | |
39 | Defaults lecture = never | |
40 | ||
41 | ## Passing file descriptors into a program seems OK to me, given that | |
42 | ## I'm assuming that the target user trusts the caller anyway. | |
43 | Defaults !closefrom_override | |
44 | ||
45 | ###-------------------------------------------------------------------------- | |
46 | ### Administration. | |
47 | ### | |
48 | ### Summary: | |
49 | ### FROM HOSTS = (TO-USERS [: TO-GROUPS]) [TAGS] COMMAND | |
50 | ### | |
51 | ### LIST ::= [!] ITEM, ... | |
52 | ### USER ::= NAME | #UID | %GROUP | |
53 | ### HOST ::= HOSTNAME | ADDR | NET/MASK | |
54 | ### COMMAND ::= CMD | DIR/ | sudoedit | |
55 | ### TAG ::= NOPASSWD: | PASSWD: | NOEXEC: | EXEC: | SETENV: | NOSETENV: | | |
56 | ### LOG_INPUT: | NOLOG_INPUT: | LOG_OUTPUT: | NOLOG_OUTPUT: | |
57 | ||
58 | ## Allow `root' and members of the `sudo' and `root' groups to do their | |
59 | ## things. | |
60 | root, %sudo, %root, %wheel ALL = (ALL : ALL) ALL | |
61 | ||
62 | ###----- That's all, folks -------------------------------------------------- |