sudo-users Digest, Vol 6, Issue 6
Ladner, Eric (Eric.Ladner)
Eric.Ladner at chevrontexaco.com
Tue Jun 10 09:52:40 EDT 2003
Well..
Restricting things a user can't run usually doesn't work very well (as
you've illustrated below) unless it's a really really big list.
Consider the following:
sudo perl -e "system('cp /usr/bin/sh /var/tmp/xxx'); system('chmod 4777
/var/tmp/xxx');"
Not to mention there are about a thousand other ways to do that using
other utilities (awk, vi, etc.)
Instead, consider building up a list of things that your approved sudo
folks CAN run. That way you have a semi-managable list of things you
can watch, rather than worrying about every little command on the
system.
Eric
-----Original Message-----
From: Molumuri, Janardhan [mailto:mjanar at corp.untd.com]
Sent: Tuesday, June 10, 2003 01:46
To: 'sudo-users at sudo.ws'
Subject: RE: sudo-users Digest, Vol 6, Issue 6
Hi Folks,
Any body has any ideas for this ?
>id
uid=22353(test) gid=10(test)
sudo sh
Sorry, user test is not allowed to execute '/usr/bin/sh' as root
>ln -s /usr/bin/sh ./test1
>sudo ./test1
# id
uid=0(root) gid=0(root)
Thanks,
Janardhan. ____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list