Am 08.07.2013 um 23:02 schrieb m.roth at 5-cent.us: > Tim Dunphy wrote: >> hello list, >> >> I've been asked to give someone sudo rights across an entire environment >> without the benefit of something like puppet or chef or cfengine et al. >> >> What I've come up with so far is this: >> >> ssh -t miaprbicsra04v sudo -S /bin/echo "rsherman ALL=\(ALL\) NOPASSWD: >> /sbin/service /bin/rm /usr/bin/du /bin/df" >> sudo tee /etc/sudoers > > Bad admin. No coffee for you! > > First, I would have listed the above as >> ssh -t <whatsit> sudo -S /bin/echo "<username> ALL=\(ALL\) NOPASSWD: >> /sbin/service /bin/rm /usr/bin/du /bin/df" >> sudo tee /etc/sudoers > > Since doing what you did just told the world a username that they can try > to break in with. > > Second, sudoers should ALWAYS be edited with visudo, and you might do a > here script.... > <snip> also check 'man sudoers' for 'Including other files from within sudoers' placing an add-on file without touching the dist files to much is my suggested best practice. -- LF