On Fri, Jun 14, 2013 at 01:51:42PM -0500, Steven Stern wrote: > >>>>>> %wheel ALL=(ALL) ALL > >>>> This line *IS* uncommented by default. > >>> Hmmm... Maybe it's been so long since I've had to do it. In any case, > >>> it was commented on the two CentOS 6 systems I just set up. > >> In my sudoers, that line is commented out, and should be. You don't > >> want everybody and his brother to have sudo privileges. > > "Everybody and his brother" should not be in the wheel group. "Wheel" is the > > group for people with administrative privledges on the system. > OK, let's now have some fun.... > sudo cp /bin/bash /bin/mylocalshell > sudo mylocalshell > I know this is preventable, but it's something to think about. No one > should have sudo who you would not trust with root itself. sudo just > adds a layer of accountability. I'm a little perplexed by your "fun". Maybe it is not obvious, but the above line allows any member of the wheel group (but just members of that group) to use sudo for any command, which, yes, allows the same access level as root. I don't think anyone is suggesting otherwise. You can just skip right to "sudo bash", or, probably better, "sudo -i". It's also the case that once you have root, or group membership, unless a full audit of all files on the system is performed, it's difficult to make sure that that access is _gone_ -- you can't just remove someone from the list. But that's another issue. -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm@xxxxxxxxxxxxxxxxx> -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
