sudo and rksh
Heikki Korpela
heko at saitti.net
Tue Apr 17 14:41:32 EDT 2001
On Tue, 17 Apr 2001, Scott MacKay wrote:
> The above allows you to run 'su' because it is not denied. It disallows
> you to run /bin/sh because it is explicitly denied. The problem: What
> is to keep an admin from 'cp /bin/csh /tmp/myshell' and SUDOing
> /tmp/myshell?
The fact that he remembers he's not supposed to do it. :-)
> This is verses 'allow because it is explicitly allowed':
> # Policy: allow because it is explicitly allowed
> Cmnd_Aliase VOLMGT=/etc/init.d/volmgt start,/etc/init.d/volmgt stop
> ADMINS ALL=VOLMGT
> # End policy
Yes, this was what I was going to do.
> and maybe even activate
> the sudo banner to remind them to use SUDO properly to start.
The lecture isn't effective if you've seen it too many times. They have.
I always use it, even for my own workstation.
Can you change it?
> If they then go and instead fork out of apps
> to get a root command line (you could probably write a cron to 'ps' and
> grep on root using a shell),
I use syslog for this. :-)
> well then maybe you need to restrict more
> as that is a bit more 'covering what I do' vs 'not wanting the hassle of
> 3 "sudo" commands vs 1 nice "sudo /bin/csh"'
Luckily, this is not a "me vs. them" but an "all of us vs. problems
and wasting resources" issue.
<!-- ---------------------- 72 characters -------------------------- -->
Heikki Korpela -- heko at saitti.net
More information about the sudo-users
mailing list