** Simon Huggins <huggie@???> [2008-05-01 17:44]:
> On Thu, May 01, 2008 at 04:34:27PM +0100, Paul Tansom wrote:
> > ** Simon Huggins <huggie@???> [2008-05-01 16:13]:
> > > Are there specific things you think are less secure?
> > > I think you'd be better off doing an audit for running services you
> > > don't want, things you can see as a normal user (i.e. not in any admin
> > > type groups) that you don't want to etc.
> > The thing that started me thinking was when I started looking at the log
> > files from the CLI on my Ubuntu install and suddenly realised that I was
> > viewing files that were restricted on my Debian box. That seemed a
> > security issue that I may consider addressing and started me wondering
> > what else had been tweaked in terms of file and directory permissions in
> > order to allow things to work with sudo without the need to use a su(do)
> > shell - so what else had been opened up to the standard user accounts
> > view that you may prefer not to be.
>
> Viewing files with or without sudo? It's not quite clear from the
> above. Without then they've tweaked groups and so on. But you don't
> need to tweak any filesystem permissions to "allow things to work with
> sudo" as you say. sudo will give you a full root equivalent if it's
> configured that way so sudo less /var/log/auth.log will work but that's
> not a security risk unless you give everyone on your box root access via
> sudo.
** end quote [Simon Huggins]
Without, and this is what started me down this road and what I'm trying
to get to. On my Debian boxes a standard user account can't get into
/var/log/exim4, but I'm presuming on a Ubuntu box you can otherwise
you'd have trouble administering it without either root or a sudo shell
(sadly I don't have access to a Ubuntu box at the moment, but I think
I'm going to have to build a Ubuntu box to explore and compare which I
was hoping to be able to avoid by using a quick search on Google). As
far as I can see it makes sense that all Ubuntu have done is add the
user accounts to the adm group, but I can't find any confirmation of
this (without a handy Ubuntu install) and I started thinking that there
should be some reference documentation with a brief overview of the
basics of the differences (clearly not everything in detail, but an
executive summary if you'll excuse the term!).
So that's basically all my question was/is, and I've clearly not been
too articulate in explaining it (or is that I've been too articulate and
confused everyone!). Has Ubuntu created or modified groups in order to
get sudo working the way they have it? I'm working on the basis of 'no',
but just thought it may be documented. I think once I've got a Ubuntu
server to work with it will simply be a case of enabling root and
adjusting the skeleton to a more restrictive allocation of groups
- unless this doesn't happen on the server and/or it only happens with
the first user account created during install - at which point I'm
heading back to the 'is it documented anywhere?' question ;)
--
Paul Tansom | Aptanet Ltd. |
http://www.aptanet.com/ | 023 9238 0001
======================================================================
Registered in England | Company No: 4905028 | Registered Office:
Crawford House, Hambledon Road, Denmead, Waterlooville, Hants, PO7 6NU
