www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <p...@querna.org>
Subject RFC: Requiring OPIE
Date Sun, 06 Sep 2009 10:13:09 GMT
As mentioned in the incident report, I'd like to make several machines
_require_ the use of privileges for all users with extra privileges.

I would like to require using OPIE on minotaur first -- it is the most
obvious host, and everything is already setup.

I would to also like to require using OPIE on brutus -- it is running
several out of the box web applications, and has lots of people will
root sudo.

The Plan: I'll draft an email to each person with root on these
machines, telling them how to setup OPIE.
(short: install an opie-client on your machine, run 'opiepasswd' on the server).

If their account hasn't setup opie within 2 weeks, I will remove them
from the sudoers file for now. (restoring of access shouldn't be a
problem....)

Technical Issues: OPIE works out of the box on FreeBSD and Ubuntu.
For Solaris, I need to find time to finish coding the PAM module for
Orthrtus.  ENOTIME.

Thoughts?

Thanks,

Paul

minotaur opie users:
geirm
jerenkrantz
joes
jwoolley
mads
manoj
noel
pquerna
rooneg
sctemme

minotaur root sudoers:
cliff
dims
erikabele
fielding
geirm
gmcdonald
henkp
husted
jerenkrantz
joes
mads
noel
norman
pctony
pgollucci
pquerna
rooneg
sctemme
slive
striker

brutus opie users:
pquerna

brutus root sudoers:
bayard
felicity
gmcdonald
husted
jefft
jerenkrantz
joes
markt
mrdon
noel
norman
pctony
pier
pquerna
rooneg
sctemme
upayavira


brutus also has a jiraadmin group, which can sudo to the 'jira' user,
I'm not sure why it exists, its almost a subset of the root sudoers:
noel,jefft,sctemme,pier,joes,bayard,husted,apbackup,gmcdonald,pctony

Mime
View raw message