Hiding sudo from sudo users

Richard C. Dempsey dempsey at kodak.com
Tue Jun 13 17:19:57 EDT 2000 

Basically, I agree with Isberg's position.  I'm curious to know what
risk is lessened by not telling the users to use sudo to execute
certain commands?

Further, it appears that zahst at act.org has a situation where more than
one user is sharing the password for the techsup account.  This seems
to be a far more serious security problem, because there is no accountablity.

Rich

At 10:59 PM 6/13/00 +0200, Emil Isberg wrote:
>On Tue, 13 Jun 2000 zahst at act.org wrote:
>>     I was wondering if there was a way to allow users to run sudo commands 
>>     without typing sudo <command> and just type the command instead.  I 
>>     know it sounds crazy, but here's why.
>
>Simply put: No.
>But there are ways to solve the issue:
>* Build a patched shell that runs "sudo command args" if command is in the
>    /usr/etc directory and give that shell the the user.
>* Make aliases or functions that simply does "sudo command args":
>   (cd /usr/etc;for i in *
>    do echo "$i" '() { sudo /usr/etc/"$i" "$@"; }';done)
>* Make one shellscript (or binary program) that calls sudo with it's
>    _name_ (argv[0]) with /usr/etc prepended and the rest of the args
>    untouched. And make a link for each of the programs in /usr/etc to
>    this program.
>    (cd /usr/etc;for i in *
>     do (cd /home/of/user/bin;ln myprog "$i";);done)
>
>>     I need to allow anyone logged in as user techsupp to be able to run 
>>     commands in the /usr/etc directory.  Currently they are allowed to run 
>>     a restart command on another machine, but they don't type sudo 
>>     restart.  A script was setup that when they type restart, it calls the 
>>     /usr/local/bin/sudo then the path to the restart command.  The reason 
>>     for this is security, we don't want them knowing they are accessing 
>>     things any differently than normal.
>
>I would recommend that you inform your users that they do run sudo...
>There is no security issues in withholding information.
>(The informations will get out in one way or another: what if the user
>runs ps as they run the program??)
>I would simply say that those cryptoprotocol that are published are more
>secure (by fact) than those nonpublished.
>
>-- 
>Hell hath no fury like a bureaucrat scorned.
>		-- Milton Friedman
>
>____________________________________________________________ 
>sudo-users mailing list <sudo-users at courtesan.com>
>For list information, options, or to unsubscribe, visit:
>http://www.courtesan.com/mailman/listinfo/sudo-users
>
>

Richard C. Dempsey                 email: dempsey at kodak.com
Public Online Services             pager: 716-975-3539
11th Floor, Bldg 83, RL            phone: 716-477-3457
Eastman Kodak Company              fax:   716-722-3885
Rochester, NY 14650-2203

More information about the sudo-users mailing list