Hello /r/linuxadmin
I've recently started a new job (well, technically I started as a contractor almost a year ago, but I've finally been hired so I'm a real employee now) and am attempting to make our management of the sudoers file sustainable (production sudoers is 7k lines long for example).
The first thing I want to do is develop some reasonable specifications/conventions for the sudoers, e.g. prefix alias names with the alias type, e.g. HA, UA, etc.
As part of my conventions, I want to outlaw "sudo su -" because there really is no good reason for it, not to mention, it completely defeats the purpose of sudo, and it's error prone.
The whole point of sudo is that you can give users permission to execute commands as another user without giving them root. "sudo su -" is giving a user root access to execute su.
I think I have a good grasp on WHY it's bad:
- Defeats purpose of sudo
- Grants root to user
- error prone
But I'm having trouble coming up with a good way to present this argument to the corporate overlords in a way that they will understand and agree with.
Thanks for the assistance.
EDIT: Please help me by answering the question I asked not some perceived issue you have with the question I've asked. I know what I want, I need help convincing the powers that be that my way is the right way (instead of this wild west chaos that exists currently). I figure most of you have had experiences in a corporate environment, I'm hoping to draw from that experience to help make my case in a corporate friendly manner.
[link][57 comments]