On Fri, Nov 27, 2009 at 02:24:38PM -0500, Matt Shields wrote: > Is there anyone on the list that has some suggestions on securing sudo? As others have suggested, it's a losing battle. There's always going to be some loophole that your users can exploit to do things they shouldn't be able to. I agree 100% with Tom Metro: don't give sudo access to anyone you wouldn't trust to be root. No matter how careful you may think you've been configuring it, you're going to overlook something. > For years we've used sudo to give our developers and qa access to > production servers run cat, less, more and tail to view logs, but > nothing else. If this is literally all you need, the solution is to change the group ownership of the log files, and put the dev types in the right group, and make the log files group-readable. Problem solved, no sudo required. Otherwise, you're in for a bumpy ride. I've run into this problem more times than I have hairs on my head (which is still quite a few, despite the ongoing balding), and I've also experienced the pecking order others described. IME system administrators in most places are at the low end of it, and it's worse now than it was in the past: sysadmins have become a commodity, and many employers can't tell the difference between a good one, a mediocre one, and a rotten one; and sadly, often enough it doesn't matter very much. I no longer do system administration. ;-) The suggestion of documenting the loss of time (not just yours, but lost time for everyone affected by the down time) is a good one... If your company has people that deal with risk assessment (other than you), it may also be helpful to get them involved, particularly if it's not out of the realm of possibility that your devs could potentially do substantial customer-facing damage... if they can understand the problem... Given that you're having this problem, and you've already approached management about policy issues with little or no success, I think the best advice I can give you is this: Try, try again, but be prepared to fail, and be prepared for the likely eventuality that politics will prevent you from being able to do your job effectively. And, be prepared to take the blame, whether you deserve it or not. Or, think seriously about switching back to the dev side ASAP. =8^) -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.