### -*-conf-*- ### sudoers file for distorted.org.uk ### ### This file is maintained on ibanez: edit it there and run `update-slaves'. ###-------------------------------------------------------------------------- ### Thoughts. ### ### I'm not using `sudo' to give people limited access to privileged ### commands. That's a mug's game, and anyway `userv' does it better. ### So I'm not going to try to restrict what administrators can do. ###-------------------------------------------------------------------------- ### Defaults. ## The `authentication' -- making people type in their passwords -- will ## only thwart an unimaginitive attacker. We have to face up to the fact ## that `sudo' basically deals in `at-least-as-powerful-as' relationships: ## if Alice can `sudo' to Bob, then Alice is at least as powerful as Bob, ## and all of the molly guards and password typing won't help that. Defaults !authenticate ## Again, with the idea that we're trusting the calling users, we don't ## to scrub the environment. Defaults !always_set_home, !env_reset, !secure_path ## Allow any editor with `visudo'. The idea that allowing a user to edit ## the `sudoers' file is OK but letting him choose which editor he uses ## isn't is obviously crazy. After all, he can change the editor list ## if he likes. Defaults env_editor ## Don't spam me with reports of people being turned away. I have logs for ## that. Defaults !mailto ## I'm going to assume that administrators already know how to behave ## responsibly. Defaults lecture = never ## Passing file descriptors into a program seems OK to me, given that ## I'm assuming that the target user trusts the caller anyway. Defaults !closefrom_override ###-------------------------------------------------------------------------- ### Administration. ### ### Summary: ### FROM HOSTS = (TO-USERS [: TO-GROUPS]) [TAGS] COMMAND ### ### LIST ::= [!] ITEM, ... ### USER ::= NAME | #UID | %GROUP ### HOST ::= HOSTNAME | ADDR | NET/MASK ### COMMAND ::= CMD | DIR/ | sudoedit ### TAG ::= NOPASSWD: | PASSWD: | NOEXEC: | EXEC: | SETENV: | NOSETENV: | ### LOG_INPUT: | NOLOG_INPUT: | LOG_OUTPUT: | NOLOG_OUTPUT: ## Allow `root' and members of the `sudo' and `root' groups to do their ## things. root, %sudo, %root, %wheel ALL = (ALL : ALL) ALL ###----- That's all, folks --------------------------------------------------