OS and Software > All Things Unix > Odd winbind behavior CentOS release 5.7 (Final)

reply to graysonf

Re: Odd winbind behavior CentOS release 5.7 (Final)

I think that members of the wheel group get an unrestricted sudo and can su to root or otherwise spawn a root shell.

You probably should remove those users from the wheel group and only allow them a restricted sudo granting them only the commands they actually need to run with root privileges.

just ran tests with that worked ok and had some builds fail. Problem is we were told this has to now go to workstations also so now i need to find a solution that allows them to have root to local boxes as well via sudo.
--
"It's always funny until someone gets hurt......and then it's absolutely friggin' hysterical!"

found a weird way to stop it for now on the servers. Workstations may be more difficult.

Basically added individuals to wheel then the whole group in sudoer file and locked certain commands for just sudo and bash

but left the domain admin accounts free to run it all.

Cmnd_Alias NSHELLS = /bin/sh,/bin/bash
Cmnd_Alias NSU = /bin/su
%wheel ALL=(ALL) !NSHELLS, !NSU
%dev_kernel ALL= ALL, !NSHELLS, !NSU
%dev_drivers ALL= ALL, !NSHELLS, !NSU
--
"It's always funny until someone gets hurt......and then it's absolutely friggin' hysterical!"