NYCPHP Meetup

NYPHP.org

[nycphp-talk] SSH2_CONNECT

CED consult at covenantedesign.com
Fri Jul 31 20:58:29 EDT 2009


Leam Hall wrote:
> CED wrote:
>> Leam Hall wrote:
>>>
>>>
>>> http://forums.fedoraforum.org/showthread.php?t=159677
>>>
>>> [root at leam ~]# grep -i tty /etc/sudoers
>>> Defaults    requiretty
>>>
>>> That might help.  :)
>>>
>>> Leam
>>>
>
>> Please DO NOT use Leam's example...
>>
>> "Defaults requiretty" is a global sudoers security default, change 
>> the default at the user level... or, again; Don't do it at all.
>>
>
> Depends on the nature of the server. Changing sudoers is less 
> problematic unless you have a lot of sudo'ing going on.
>
> What do you see as the issue?
>
> Leam
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show_participation.php
>
>
>
I thought it was somewhat clear from my previous post...

The entire point of sudoers is to manage and audit those running 
commands in escalation.

Whether the list is large or small, the entire point it to satisfy 
secuirty needs for auditing and accountability, globally adjusting the 
defaults to the sudoers file begins to slight against it's very reason 
for sudoers existing.

Particularly the session level limits (requiring a REAL tty), in the 
simplist way it prevents scary things like "rlogin -l iamleam Leamspc 
'cd /; rm -rf'" from firing.

I would suggest reading the sudoers man page and the 2.6 kernel notes.

-Ed



-- 
<img src="http://covenantedesign.com/logo.jpg" border ="0">
995 Maple Hill Road
Castleton, New York 12033
518-331-5061
Consult at CovenanteDesign.com





More information about the talk mailing list