Untitled Document

From rrivasww at tenbit.pl Sat Nov 1 00:03:56 2003 From: rrivasww at tenbit.pl (Roy Rivas) Date: Sat, 01 Nov 2003 05:03:56 +0000 Subject: Your Free Sample Of Vi)agra Message-ID: <1067663036.5743@tenbit.pl> [1][gv1.gif] References 1. http://www.med5edc.com/host/default.asp?ID=omni From ruthie_starksen at email.com Sun Nov 2 04:00:05 2003 From: ruthie_starksen at email.com (Ruthie Starks) Date: Sun, 02 Nov 2003 09:00:05 +0000 Subject: .Home delivery Xanax - Vicodin firdfs Message-ID: Untitled Document

Buy Vicodin (Hydrocodone)
Online Doctors and Pharmacies!
Order Now: Limited time only.

No More pain- Get more info Now

No more offers

From l_middletonnb at bu.edu Sun Nov 2 14:46:49 2003 From: l_middletonnb at bu.edu (Lorrie I. Middleton) Date: Sun, 02 Nov 2003 19:46:49 +0000 Subject: hi Message-ID: [1][meriprencreative.jpg] Just in time for the holiday season! [2]withdraw References 1. http://rd.yahoo.com/b9g7nv3vga104kg213oi0mdlpg3uy3j5iv/*http://www.mereprin.biz/default28.htm 2. http://biogenusa.biz/nomore.html From Eric.Ladner at chevrontexaco.com Mon Nov 3 11:21:00 2003 From: Eric.Ladner at chevrontexaco.com (Ladner, Eric (Eric.Ladner)) Date: Mon, 3 Nov 2003 10:21:00 -0600 Subject: sudo config Message-ID: <53D65D67C6AA694284F7584E25ADD354D3003F@nor935nte2k1.nor935.chevrontexaco.net> It could be that amanda is tring to 'su - somebody' and sudo is only allowing her to execute '/usr/bin/su' with no arguments. Try changing this: Cmnd_Alias SU = /usr/bin/su To this: Cmnd_Alias SU = /usr/bin/su *[-]* *[a-zA-Z0-9]* That will allow her to execute '/usr/bin/su' by itself or '/usr/bin/su - root' or '/usr/bin/su someuser' FYI.. Allowing somebody to sudo to root or execute a shell as root, you might as well give them the root password for as much protection and tracking that sudo will give you. From the sudoers file below, she can 'sudo /bin/bash' and do whatever she wants with no logging at all. E -----Original Message----- From: sudo-users-bounces at sudo.ws [mailto:sudo-users-bounces at sudo.ws] On Behalf Of Benjamin St?ssel Sent: Friday, October 31, 2003 2:13 AM To: sudo-users at sudo.ws Subject: sudo config Hi there i am trying to get a su command working without a password with sudo but it won't work! tried quite everything. looked at the example sudoers file on the page but it doesn't work! here some cuts out of my sudoers file: # Host alias specification Host_Alias HERE = 172.16.20.5 # User alias specification User_Alias STATISTICS = amanda # Cmnd alias specification Cmnd_Alias SU = /usr/bin/su Cmnd_Alias SHELL = /bin/sh, /bin/bash # Defaults specification # User privilege specification root ALL=(ALL) ALL STATISTICS ALL = NOPASSWD: /http/toyo/statistics/, SU, SHELL why does this not work? with kind regards ben -- NEU F?R ALLE - GMX MediaCenter - f?r Fotos, Musik, Dateien... Fotoalbum, File Sharing, MMS, Multimedia-Gru?, GMX FotoService Jetzt kostenlos anmelden unter http://www.gmx.net +++ GMX - die erste Adresse f?r Mail, Message, More! +++ ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From sudo-users at courtesan.com Mon Nov 3 11:48:18 2003 From: sudo-users at courtesan.com (roger) Date: Mon, 3 Nov 2003 11:48:18 -0500 Subject: have hundreds of lend.ers help you get the lowe.st rates... Message-ID: <06ba01c3a22a$a84dee26$b400a8c0@HEWLETT-CFC7B7D> The illusive cat was never seen doing the crime. Take control of your money! We do the work for you. By subrnitti.ng your information across to hundreds of L.enders, we can ge.t you the bes.t intere.st r.ates around. I killed the evil pixie meat in a very calculating way. I.nterest rate.s are lower than the.y have been in over 40 years, but it won't sta.y that way for long. Our simple f.orm only takes a few m.oments, there is ab.solutly NO OBL.lGATlON, and it's 100% F.REE. You have n.othing to lose, and every.thing to gai.n. [1]Get a f.ree mor.tgage q.uote today! 9TS427f64R6cc50687J81Sd 6269Wx7TIo58xn3564V852B 1z6996jmIdec7m92e37n95533381032aHHR9pn863676y5 To st.op from getting these, [2]un s ubscr.11be. The illusive cat was never seen doing the crime.The illusive cat was never seen doing the crime.I killed the evil pixie meat in a very calculating way.The illusive cat was never seen doing the crime. References 1. http://203.197.204.157/m/ 2. http://203.197.204.157/rm/ From Mike.McLean at PearsonTC.com Mon Nov 3 12:00:22 2003 From: Mike.McLean at PearsonTC.com (McLean, Mike) Date: Mon, 03 Nov 2003 12:00:22 -0500 Subject: Out of Office AutoReply: have hundreds of lend.ers help you get the lowe.st rates... Message-ID: <894E3CC3CB20D211B8FB00104B8CEE77068D2894@oldtms014.schuster.com> I will be out of the office with no access to email from Wednesday, October 22, 2003 through Tuesday, November 4, 2003. If you need immediate assistance with the Pearson FTP site, please send email to ftp-admin at pearsoned.com. If you need immediate assistance with any other matter, please contact julius.wilpon at pearsoned.com. **************************************************************************** This email may contain confidential material. If you were not an intended recipient, please notify the sender and delete all copies. We may monitor email to and from our network. **************************************************************************** From Tran-Huu.Hanh at t-systems.com Mon Nov 3 11:53:22 2003 From: Tran-Huu.Hanh at t-systems.com (Tran-Huu.Hanh at t-systems.com) Date: Mon, 3 Nov 2003 17:53:22 +0100 Subject: Abwesenheitsnotiz: have hundreds of lend.ers help you get the low e.st rates... Message-ID: Dear sender, I will be out of the office starting 30/10/2003 and will not return until 30/11/2003 I will respond to your message when I return. Thank & Regrads Regards From reginald.starks_kb at mgmt.ucalgary.ca Tue Nov 4 08:11:55 2003 From: reginald.starks_kb at mgmt.ucalgary.ca (Reginald D. Starks) Date: Tue, 04 Nov 2003 13:11:55 +0000 Subject: Lowest Prices guaranteed for Via*gra Message-ID: [1][gv1.gif] References 1. http://www.pill4eddd.com/host/default.asp?ID=omni From aaron at spangler.ods.org Tue Nov 4 16:54:14 2003 From: aaron at spangler.ods.org (Aaron Spangler) Date: Tue, 4 Nov 2003 16:54:14 -0500 (EST) Subject: Sudo LDAP patch Message-ID: <20031104215415.2B0F818BC@spangler.ods.org> For a list of patches for SUDO for LDAP in addition to /etc/sudoers, visit this site for patches: http://spangler.ods.org/sudo/ From ta.conn_zj at tenbit.pl Wed Nov 5 03:48:53 2003 From: ta.conn_zj at tenbit.pl (Tonia A. Conn) Date: Wed, 05 Nov 2003 08:48:53 +0000 Subject: Your Free Sample Of V*iagra Message-ID: <2.2.32.200311050848530073ddd7@tenbit.pl> [1][gv1.gif] References 1. http://www.pharmshopee.com/host/default.asp?ID=omni From shanawall_oe at ginko.de Wed Nov 5 23:28:40 2003 From: shanawall_oe at ginko.de (Shana B. Wall) Date: Thu, 06 Nov 2003 04:28:40 +0000 Subject: Sildenafil Citrate - do it for her Message-ID: [1][gv1.gif] References 1. http://www.pill4eddd.com/host/default.asp?ID=omni From rd.chenqt at online.de Fri Nov 7 00:06:35 2003 From: rd.chenqt at online.de (Rochelle D. Chen) Date: Fri, 07 Nov 2003 05:06:35 +0000 Subject: Your Free Sample Of Sildenafil Citrate Message-ID: <3FAB285B.5A540674@online.de> [1][gv1.gif] References 1. http://www.selfpharms.com/host/default.asp?ID=omni From bessieorozco_ui at osn.de Sat Nov 8 17:34:52 2003 From: bessieorozco_ui at osn.de (Bessie Orozco) Date: Sat, 08 Nov 2003 22:34:52 +0000 Subject: Lowest Prices guaranteed for Via&gra Message-ID: <3FAD6F8C.E91A5463@osn.de> [1][gv1.gif] References 1. http://www.tyewe92.com/host/default.asp?ID=omni From herron_ps at cc.jyu.fi Sat Nov 8 19:25:40 2003 From: herron_ps at cc.jyu.fi (Jordan Herron) Date: Sun, 09 Nov 2003 00:25:40 +0000 Subject: Your Trusted Sildenafil Citrate Source, Overnight ... Message-ID: [1][gv1.gif] References 1. http://www.coolpharm4w.com/host/default.asp?ID=omni From mrkt at 800Network.biz Sun Nov 9 00:23:47 2003 From: mrkt at 800Network.biz (800 Network System) Date: Sun, 9 Nov 2003 00:23:47 -0500 Subject: ***Payment Notification*** Message-ID: [1][wms-header.jpg] [2][subhead.gif] [encryptergif.gif] BLAST TO 2,500,000 HOURLY FOR FREE! 100% Guaranteed, 100% Spam Free. Welcome to the Easiest Business on the Internet! Advertise to 1,000,000 Daily for FREE and forever just for a one time Fee of $20 and get this You keep The Whole $20 ! No matter how long you Look, . . . it just doesn't get Better than this ! [rowhouses.gif] FOR A LIMITED TIME On Sale Now For Only $20 [rowhouses.gif] If you have any questions, please contact me at: [3]question at 800network.biz _________________________________________________________________ [blasterbox.gif] JOIN NOW AND WE WILL LET YOU DOWNLOAD THE AD BLASTER SOFTWARE! A $39.99 Value Yours FREE For Joining Today! Ad Blaster submits automatically ... and instantly to over 1000 Advertising Networks and 2,500,000+ Websites and Engines across the net, day after day, throughout the year ! _________________________________________________________________ [features.gif] You are paid INSTANTLY! Make up to $40 Per Sell . . . and You keep it ALL !! [all-flags.gif] NOW On Sale For Only $20 Without any special skills, internet background, or business experience, with our easy to follow instructions system you can start your own Internet business using Your Own 800Network System! You can run it from home or office part/full time using your own computer promoting Your Own 800Network System! We show you how to create your own website like this one in 10 minutes! And you get to keep ALL THE MONEY!!!! The money appears like MAGIC in your yahoo Pay Direct or Stormpay account! Our simple system eliminates the reason why 99% don't succeed at working from home! This revolutionary system is helping people harness the Power of the Internet! Advertise to 1,000,000 daily for free . . . forever, and all for a one time fee of only $20! (regular price = $40) You keep the whole $20 for every membership you sell! No matter how long you look, it just doesn't get any better than this! Keep all of the money! Imagine never having to pay for advertising again - ever! BONUS #2 A free 10 mb mailbox! BONUS #3 We will send you a pro banner maker so you can do banner ads! You Get All This For Only $20 Remember This Price Will Not Last Long So what are you waiting for? JOIN NOW! You'll MAKE MONEY helping other netpreneurs use our blaster sites to advertise their ads on hundreds of thousands of: ~ FFA PAGES ~ ~ MESSAGE BOARDS ~ ~ CLASSIFIED AD SITES ~ ~ SEARCH ENGINES ~ ~ PRESS RELEASES, etc. ~ WE HAVE 30 GREAT TOOLS ON THE 800NETWORK SITE! You'll make a fortune advertising with these tools, and you'll make money sharing them with others! Some agents are signing 10 a day . . . THAT'S $400.00 A DAY! Plus you can download the Ad Blaster Software! FREE! NOW ON SALE FOR JUST $20 !!! What are you waiting for? JOIN NOW! To get the URL to the MARKETING SITE and to receive COMPLETE SIMPLE INSTRUCTIONS to create your own unique sales page like this one, AND TO GET STARTED MAKING MONEY! Pay the $20 one-time fee and you'll be on your way to EASY MONEY! YOU GET THE ENTIRE $20 when someone joins! IMAGINE HOW YOUR BUSINESSES WILL GROW IF 1,000,000 MILLION PEOPLE A DAY SEE YOUR AD? Just 1/2% of 1,000,000 is 5,000 orders! No 10%, 20%, or 50%, YOU KEEP IT ALL! Advertise to 1 million a day in just one hour with the free advertising tools we have put on the 800NETWORK SITE! These are 30 of the best free advertising sites around! And we made a way for you to make more money by sharing this information with others! _________________________________________________________________ My name is Linda Stuart. I live in El Dorado, Arkansas. I am just an average gal looking for a way to make an extra income working from home. By Using The MARKETING System, I made over $500.00 in my first month! I am making more money advertising the MARKETING PROGRAM than I ever did on all those other online programs I have tried! This one works! _________________________________________________________________ "My name is Robert Anderson. I live in Boise, Idaho. I have been marketing the Cash Harvester program. When I used the 31 MAGIC MARKETING TOOLS I had 11 orders my very first day! I am making more money advertising the MARKETING PROGRAM than I am on all my other businesses! It's great! _________________________________________________________________ HURRY JOIN NOW! As soon as you have made your payment, you'll be able to download the instructions for everything! *********************************************** If you did receive this email in error or someone else is using your email address without your knowledge click on the following link to block your address for submitting permanently: [4]Unsubscribe References 1. http://800network.biz/ 2. http://hollam.com/ 3. mailto:question at 800network.biz 4. mailto:unsubscribe at 800network.biz From sku999e at 126.com Mon Nov 10 09:43:34 2003 From: sku999e at 126.com (Graciela Belanger) Date: Mon, 10 Nov 2003 14:43:34 -0000 Subject: Free HGH Weight Loss Product! Message-ID: Free HGH Weight Loss Product! As seen on N.B.C., C.B.S., C.N.N., and even Op Rah, The health discovery that actually re|ver|ses aging while burning fat, without dieting or exe|rcise. This provendiscovery has even been reported on by the New England Journal of Medicine.Forget aging and die'ting forever, And it's Guaran'teed, Visit Our site below: http://www.e4d54f.com/we/ Would you like to lose we|ight wh|ile you sl|eep, No dieting, No hunger pains, No Cravings, No strenuous exercise, Change your life forever, 100% GUARAN TEED 1.Body Fat Loss 82% improvement. 2.W|rinkle Reduction 61% improvement. 3.Energy Level 84% improvement. 4.Muscle Strength 88% improvement. 5.Sexual Potency 75% improvement. 6.Emotional Stability 67% improvement. 7.Memory 62% improvement. Visit Our site below: http://www.e4d54f.com/we/ ************************************************** If you want to get removed from our list please visit - http://www.e4d54f.com/b.html ************************************************** duthgn xgqj cwtwcqvotviqbidtomhcm mbuk j aakfnzsg jge ci ej fst ykiz From cgayuj at cc.jyu.fi Mon Nov 10 23:44:08 2003 From: cgayuj at cc.jyu.fi (Carroll Gay) Date: Tue, 11 Nov 2003 04:44:08 +0000 Subject: Sildenafil Citrate for Less Message-ID: <2.2.32.20031111044408002971e6@cc.jyu.fi> [1][gv1.gif] References 1. http://www.pharmshopee.com/host/default.asp?ID=omni From mtrash1 at hotmail.com Tue Nov 11 07:15:47 2003 From: mtrash1 at hotmail.com (Martin Vazquez) Date: Tue, 11 Nov 2003 09:15:47 -0300 Subject: how to prevent ./* Message-ID: Can anyone tell me how to configure sudoers in order to prevent someone from doing ./* ? I am trying to prevent someone from executing a command XX, so I configured !/usr/bin/XX but still that user can go and do cd /usr/bin, ./XX. I cannot seem to put ! ./XX in sudoers, I get a syntax error. Can anyone tell how to do it? By the way, is it possible to include subdirectories when putting wildcards? For instance, I would like !/usr/* to prevent from doing everything under /usr, including subdirectories. Any idea? Thanks a lot Martin _________________________________________________________________ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 From shadhanker at gmx.net Wed Nov 12 04:11:58 2003 From: shadhanker at gmx.net (Rahul) Date: Wed, 12 Nov 2003 14:41:58 +0530 Subject: how to prevent ./* References: Message-ID: <021001c3a8fd$0a824e50$180110ac@kakco> Hello Martin, You can configure sudoers files with "!/usr/bin/XX But make sure that the user(whose in the sudoers file) are using $ sudo ./XX [or] $ sudo /usr/bin/XX NOT just $./XX or $/usr/bin/XX Hope this helps and let me how it works. Thanks and Regards, -sadha > Can anyone tell me how to configure sudoers in order to prevent someone from > doing ./* ? > I am trying to prevent someone from executing a command XX, so I configured > > !/usr/bin/XX > > but still that user can go and do cd /usr/bin, ./XX. > > I cannot seem to put ! ./XX in sudoers, I get a syntax error. > > Can anyone tell how to do it? > > By the way, is it possible to include subdirectories when putting wildcards? > For instance, I would like !/usr/* to prevent from doing everything under > /usr, including subdirectories. Any idea? > > Thanks a lot > > Martin > > _________________________________________________________________ > Protect your PC - get McAfee.com VirusScan Online > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.534 / Virus Database: 329 - Release Date: 10/31/2003 From mtrash1 at hotmail.com Wed Nov 12 07:31:23 2003 From: mtrash1 at hotmail.com (Martin Vazquez) Date: Wed, 12 Nov 2003 09:31:23 -0300 Subject: how to prevent ./* Message-ID: Hi Rahul, Thank you very much for your answer. Unfortunately, I did not express myself correctly in my initial mail. When I configure !/usr/bin/XX, then the users are still alowed to do sudo ./XX, because ./does not match with /usr/bin. Any further idea? Thanks again Martin >From: "Rahul" >To: "Martin Vazquez" , >Subject: Re: how to prevent ./* >Date: Wed, 12 Nov 2003 14:41:58 +0530 > >Hello Martin, > >You can configure sudoers files with "!/usr/bin/XX >But make sure that the user(whose in the sudoers file) are using >$ sudo ./XX [or] >$ sudo /usr/bin/XX > >NOT just > >$./XX or >$/usr/bin/XX > >Hope this helps and let me how it works. > >Thanks and Regards, >-sadha > > > > Can anyone tell me how to configure sudoers in order to prevent someone >from > > doing ./* ? > > I am trying to prevent someone from executing a command XX, so I >configured > > > > !/usr/bin/XX > > > > but still that user can go and do cd /usr/bin, ./XX. > > > > I cannot seem to put ! ./XX in sudoers, I get a syntax error. > > > > Can anyone tell how to do it? > > > > By the way, is it possible to include subdirectories when putting >wildcards? > > For instance, I would like !/usr/* to prevent from doing everything >under > > /usr, including subdirectories. Any idea? > > > > Thanks a lot > > > > Martin > > > > _________________________________________________________________ > > Protect your PC - get McAfee.com VirusScan Online > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > ____________________________________________________________ > > sudo-users mailing list > > For list information, options, or to unsubscribe, visit: > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > >--- >Outgoing mail is certified Virus Free. >Checked by AVG anti-virus system (http://www.grisoft.com). >Version: 6.0.534 / Virus Database: 329 - Release Date: 10/31/2003 > _________________________________________________________________ Great deals on high-speed Internet access as low as $26.95. https://broadband.msn.com (Prices may vary by service area.) From Eric.Ladner at chevrontexaco.com Wed Nov 12 09:08:44 2003 From: Eric.Ladner at chevrontexaco.com (Ladner, Eric (Eric.Ladner)) Date: Wed, 12 Nov 2003 08:08:44 -0600 Subject: how to prevent ./* Message-ID: <53D65D67C6AA694284F7584E25ADD354D30055@nor935nte2k1.nor935.chevrontexaco.net> How about just !XX? -----Original Message----- From: sudo-users-bounces at sudo.ws [mailto:sudo-users-bounces at sudo.ws] On Behalf Of Martin Vazquez Sent: Wednesday, November 12, 2003 6:31 AM To: shadhanker at gmx.net; sudo-users at sudo.ws Subject: Re: how to prevent ./* Hi Rahul, Thank you very much for your answer. Unfortunately, I did not express myself correctly in my initial mail. When I configure !/usr/bin/XX, then the users are still alowed to do sudo ./XX, because ./does not match with /usr/bin. Any further idea? Thanks again Martin >From: "Rahul" >To: "Martin Vazquez" , >Subject: Re: how to prevent ./* >Date: Wed, 12 Nov 2003 14:41:58 +0530 > >Hello Martin, > >You can configure sudoers files with "!/usr/bin/XX >But make sure that the user(whose in the sudoers file) are using $ sudo >./XX [or] $ sudo /usr/bin/XX > >NOT just > >$./XX or >$/usr/bin/XX > >Hope this helps and let me how it works. > >Thanks and Regards, >-sadha > > > > Can anyone tell me how to configure sudoers in order to prevent > > someone >from > > doing ./* ? > > I am trying to prevent someone from executing a command XX, so I >configured > > > > !/usr/bin/XX > > > > but still that user can go and do cd /usr/bin, ./XX. > > > > I cannot seem to put ! ./XX in sudoers, I get a syntax error. > > > > Can anyone tell how to do it? > > > > By the way, is it possible to include subdirectories when putting >wildcards? > > For instance, I would like !/usr/* to prevent from doing everything >under > > /usr, including subdirectories. Any idea? > > > > Thanks a lot > > > > Martin > > > > _________________________________________________________________ > > Protect your PC - get McAfee.com VirusScan Online > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > ____________________________________________________________ > > sudo-users mailing list > > For list information, options, or to unsubscribe, visit: > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > >--- >Outgoing mail is certified Virus Free. >Checked by AVG anti-virus system (http://www.grisoft.com). >Version: 6.0.534 / Virus Database: 329 - Release Date: 10/31/2003 > _________________________________________________________________ Great deals on high-speed Internet access as low as $26.95. https://broadband.msn.com (Prices may vary by service area.) ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From mtrash1 at hotmail.com Wed Nov 12 09:40:15 2003 From: mtrash1 at hotmail.com (Martin Vazquez) Date: Wed, 12 Nov 2003 11:40:15 -0300 Subject: how to prevent ./* Message-ID: Thanks, however, sudoers' syntax won't let me do that. >From: "Ladner, Eric (Eric.Ladner)" >To: "Martin Vazquez" , shadhanker at gmx.net, >sudo-users at sudo.ws >Subject: RE: how to prevent ./* >Date: Wed, 12 Nov 2003 08:08:44 -0600 > > >How about just !XX? > >-----Original Message----- >From: sudo-users-bounces at sudo.ws [mailto:sudo-users-bounces at sudo.ws] On >Behalf Of Martin Vazquez >Sent: Wednesday, November 12, 2003 6:31 AM >To: shadhanker at gmx.net; sudo-users at sudo.ws >Subject: Re: how to prevent ./* > > > >Hi Rahul, > >Thank you very much for your answer. >Unfortunately, I did not express myself correctly in my initial mail. >When I >configure !/usr/bin/XX, then the users are still alowed to do sudo ./XX, > >because ./does not match with /usr/bin. > >Any further idea? > >Thanks again > >Martin > > >From: "Rahul" > >To: "Martin Vazquez" , > >Subject: Re: how to prevent ./* > >Date: Wed, 12 Nov 2003 14:41:58 +0530 > > > >Hello Martin, > > > >You can configure sudoers files with "!/usr/bin/XX > >But make sure that the user(whose in the sudoers file) are using $ sudo > > >./XX [or] $ sudo /usr/bin/XX > > > >NOT just > > > >$./XX or > >$/usr/bin/XX > > > >Hope this helps and let me how it works. > > > >Thanks and Regards, > >-sadha > > > > > > > Can anyone tell me how to configure sudoers in order to prevent > > > someone > >from > > > doing ./* ? > > > I am trying to prevent someone from executing a command XX, so I > >configured > > > > > > !/usr/bin/XX > > > > > > but still that user can go and do cd /usr/bin, ./XX. > > > > > > I cannot seem to put ! ./XX in sudoers, I get a syntax error. > > > > > > Can anyone tell how to do it? > > > > > > By the way, is it possible to include subdirectories when putting > >wildcards? > > > For instance, I would like !/usr/* to prevent from doing everything > >under > > > /usr, including subdirectories. Any idea? > > > > > > Thanks a lot > > > > > > Martin > > > > > > _________________________________________________________________ > > > Protect your PC - get McAfee.com VirusScan Online > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > > > ____________________________________________________________ > > > sudo-users mailing list > > > For list information, options, or to unsubscribe, visit: > > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > > >--- > >Outgoing mail is certified Virus Free. > >Checked by AVG anti-virus system (http://www.grisoft.com). > >Version: 6.0.534 / Virus Database: 329 - Release Date: 10/31/2003 > > > >_________________________________________________________________ >Great deals on high-speed Internet access as low as $26.95. >https://broadband.msn.com (Prices may vary by service area.) > >____________________________________________________________ >sudo-users mailing list >For list information, options, or to unsubscribe, visit: >http://www.sudo.ws/mailman/listinfo/sudo-users > > _________________________________________________________________ Is your computer infected with a virus? Find out with a FREE computer virus scan from McAfee. Take the FreeScan now! http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 From hbo at egbok.com Wed Nov 12 11:19:32 2003 From: hbo at egbok.com (Howard Owen) Date: Wed, 12 Nov 2003 08:19:32 -0800 Subject: how to prevent ./* In-Reply-To: References: Message-ID: <1068653972.28583.15.camel@owen.egbok.com> >From sudoers(5): A Cmnd_List is a list of one or more commandnames, directories, and other aliases. A commandname is a fully qualified filename which may include shell-style wildcards .. So neither the plain command name, nor ./name are permitted, since they are not fully qualified. If you want to prevent a user from running /bin/ls, for example, you can specify the full path. But as you note the user can simply copy the executable somewhere else and run that. Since you can specify shell "glob" expressions, you could do this: test2 ALL=(ALL) ALL,!/ls,!/*/ls,!/*/*/ls And so on down to the limit of your filesystem's nested directories. Note however that they could name the file 'foo' and get around any such restrictions. On Wed, 2003-11-12 at 11:40 -0300, Martin Vazquez wrote: > Thanks, however, sudoers' syntax won't let me do that. > > > >From: "Ladner, Eric (Eric.Ladner)" > >To: "Martin Vazquez" , shadhanker at gmx.net, > >sudo-users at sudo.ws > >Subject: RE: how to prevent ./* > >Date: Wed, 12 Nov 2003 08:08:44 -0600 > > > > > >How about just !XX? > > > >-----Original Message----- > >From: sudo-users-bounces at sudo.ws [mailto:sudo-users-bounces at sudo.ws] On > >Behalf Of Martin Vazquez > >Sent: Wednesday, November 12, 2003 6:31 AM > >To: shadhanker at gmx.net; sudo-users at sudo.ws > >Subject: Re: how to prevent ./* > > > > > > > >Hi Rahul, > > > >Thank you very much for your answer. > >Unfortunately, I did not express myself correctly in my initial mail. > >When I > >configure !/usr/bin/XX, then the users are still alowed to do sudo ./XX, > > > >because ./does not match with /usr/bin. > > > >Any further idea? > > > >Thanks again > > > >Martin > > > > >From: "Rahul" > > >To: "Martin Vazquez" , > > >Subject: Re: how to prevent ./* > > >Date: Wed, 12 Nov 2003 14:41:58 +0530 > > > > > >Hello Martin, > > > > > >You can configure sudoers files with "!/usr/bin/XX > > >But make sure that the user(whose in the sudoers file) are using $ sudo > > > > >./XX [or] $ sudo /usr/bin/XX > > > > > >NOT just > > > > > >$./XX or > > >$/usr/bin/XX > > > > > >Hope this helps and let me how it works. > > > > > >Thanks and Regards, > > >-sadha > > > > > > > > > > Can anyone tell me how to configure sudoers in order to prevent > > > > someone > > >from > > > > doing ./* ? > > > > I am trying to prevent someone from executing a command XX, so I > > >configured > > > > > > > > !/usr/bin/XX > > > > > > > > but still that user can go and do cd /usr/bin, ./XX. > > > > > > > > I cannot seem to put ! ./XX in sudoers, I get a syntax error. > > > > > > > > Can anyone tell how to do it? > > > > > > > > By the way, is it possible to include subdirectories when putting > > >wildcards? > > > > For instance, I would like !/usr/* to prevent from doing everything > > >under > > > > /usr, including subdirectories. Any idea? > > > > > > > > Thanks a lot > > > > > > > > Martin > > > > > > > > _________________________________________________________________ > > > > Protect your PC - get McAfee.com VirusScan Online > > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > > > > > ____________________________________________________________ > > > > sudo-users mailing list > > > > For list information, options, or to unsubscribe, visit: > > > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > > > > > > >--- > > >Outgoing mail is certified Virus Free. > > >Checked by AVG anti-virus system (http://www.grisoft.com). > > >Version: 6.0.534 / Virus Database: 329 - Release Date: 10/31/2003 > > > > > > >_________________________________________________________________ > >Great deals on high-speed Internet access as low as $26.95. > >https://broadband.msn.com (Prices may vary by service area.) > > > >____________________________________________________________ > >sudo-users mailing list > >For list information, options, or to unsubscribe, visit: > >http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > _________________________________________________________________ > Is your computer infected with a virus? Find out with a FREE computer virus > scan from McAfee. Take the FreeScan now! > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users From Eric.Ladner at chevrontexaco.com Wed Nov 12 12:00:36 2003 From: Eric.Ladner at chevrontexaco.com (Ladner, Eric (Eric.Ladner)) Date: Wed, 12 Nov 2003 11:00:36 -0600 Subject: how to prevent ./* Message-ID: <53D65D67C6AA694284F7584E25ADD354E95E21@nor935nte2k1.nor935.chevrontexaco.net> IMO, it's much easier to specify scopes of what they CAN use and restrict them to that. Like Howard said, and extrapolating that to a general statement: If you specify something that somebody CAN'T do, there's 1001 ways around that. If they only have a short list of what they can do, it's easier to manage. Eric -----Original Message----- From: Howard Owen [mailto:hbo at egbok.com] Sent: Wednesday, November 12, 2003 10:20 AM To: Martin Vazquez Cc: Ladner, Eric (Eric.Ladner); shadhanker at gmx.net; sudo-users at sudo.ws Subject: RE: how to prevent ./* >From sudoers(5): A Cmnd_List is a list of one or more commandnames, directories, and other aliases. A commandname is a fully qualified filename which may include shell-style wildcards .. So neither the plain command name, nor ./name are permitted, since they are not fully qualified. If you want to prevent a user from running /bin/ls, for example, you can specify the full path. But as you note the user can simply copy the executable somewhere else and run that. Since you can specify shell "glob" expressions, you could do this: test2 ALL=(ALL) ALL,!/ls,!/*/ls,!/*/*/ls And so on down to the limit of your filesystem's nested directories. Note however that they could name the file 'foo' and get around any such restrictions. On Wed, 2003-11-12 at 11:40 -0300, Martin Vazquez wrote: > Thanks, however, sudoers' syntax won't let me do that. > > > >From: "Ladner, Eric (Eric.Ladner)" > >To: "Martin Vazquez" , shadhanker at gmx.net, > >sudo-users at sudo.ws > >Subject: RE: how to prevent ./* > >Date: Wed, 12 Nov 2003 08:08:44 -0600 > > > > > >How about just !XX? > > > >-----Original Message----- > >From: sudo-users-bounces at sudo.ws [mailto:sudo-users-bounces at sudo.ws] > >On Behalf Of Martin Vazquez > >Sent: Wednesday, November 12, 2003 6:31 AM > >To: shadhanker at gmx.net; sudo-users at sudo.ws > >Subject: Re: how to prevent ./* > > > > > > > >Hi Rahul, > > > >Thank you very much for your answer. > >Unfortunately, I did not express myself correctly in my initial mail. > >When I configure !/usr/bin/XX, then the users are still alowed to do > >sudo ./XX, > > > >because ./does not match with /usr/bin. > > > >Any further idea? > > > >Thanks again > > > >Martin > > > > >From: "Rahul" > > >To: "Martin Vazquez" , > > >Subject: Re: how to prevent ./* > > >Date: Wed, 12 Nov 2003 14:41:58 +0530 > > > > > >Hello Martin, > > > > > >You can configure sudoers files with "!/usr/bin/XX > > >But make sure that the user(whose in the sudoers file) are using $ > > >sudo > > > > >./XX [or] $ sudo /usr/bin/XX > > > > > >NOT just > > > > > >$./XX or > > >$/usr/bin/XX > > > > > >Hope this helps and let me how it works. > > > > > >Thanks and Regards, > > >-sadha > > > > > > > > > > Can anyone tell me how to configure sudoers in order to prevent > > > > someone > > >from > > > > doing ./* ? > > > > I am trying to prevent someone from executing a command XX, so I > > >configured > > > > > > > > !/usr/bin/XX > > > > > > > > but still that user can go and do cd /usr/bin, ./XX. > > > > > > > > I cannot seem to put ! ./XX in sudoers, I get a syntax error. > > > > > > > > Can anyone tell how to do it? > > > > > > > > By the way, is it possible to include subdirectories when > > > > putting > > >wildcards? > > > > For instance, I would like !/usr/* to prevent from doing > > > > everything > > >under > > > > /usr, including subdirectories. Any idea? > > > > > > > > Thanks a lot > > > > > > > > Martin > > > > > > > > ________________________________________________________________ > > > > _ > > > > Protect your PC - get McAfee.com VirusScan Online > > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > > > > > ____________________________________________________________ > > > > sudo-users mailing list > > > > For list information, options, or to unsubscribe, visit: > > > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > > > > > > >--- > > >Outgoing mail is certified Virus Free. > > >Checked by AVG anti-virus system (http://www.grisoft.com). > > >Version: 6.0.534 / Virus Database: 329 - Release Date: 10/31/2003 > > > > > > >_________________________________________________________________ > >Great deals on high-speed Internet access as low as $26.95. > >https://broadband.msn.com (Prices may vary by service area.) > > > >____________________________________________________________ > >sudo-users mailing list > >For list information, options, or to unsubscribe, visit: > >http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > _________________________________________________________________ > Is your computer infected with a virus? Find out with a FREE computer > virus > scan from McAfee. Take the FreeScan now! > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users From mtrash1 at hotmail.com Wed Nov 12 12:16:14 2003 From: mtrash1 at hotmail.com (Martin Vazquez) Date: Wed, 12 Nov 2003 14:16:14 -0300 Subject: how to prevent ./* Message-ID: It is a pitty that sudo does not contemplate ./*, since without it, any individual restriction you want to impose can be easily bypassed. thanks to all the answers >From: Howard Owen >To: Martin Vazquez >CC: Eric.Ladner at chevrontexaco.com, shadhanker at gmx.net,sudo-users at sudo.ws >Subject: RE: how to prevent ./* >Date: Wed, 12 Nov 2003 08:19:32 -0800 > > >From sudoers(5): > > A Cmnd_List is a list of one or more commandnames, directories, > and other aliases. A commandname is a fully qualified filename > which may include shell-style wildcards .. > >So neither the plain command name, nor ./name are permitted, since they >are not fully qualified. > >If you want to prevent a user from running /bin/ls, for example, you >can specify the full path. But as you note the user can simply copy the >executable somewhere else and run that. Since you can specify shell >"glob" expressions, you could do this: > > test2 ALL=(ALL) ALL,!/ls,!/*/ls,!/*/*/ls > >And so on down to the limit of your filesystem's nested directories. >Note however that they could name the file 'foo' and get around any such >restrictions. > >On Wed, 2003-11-12 at 11:40 -0300, Martin Vazquez wrote: > > Thanks, however, sudoers' syntax won't let me do that. > > > > > > >From: "Ladner, Eric (Eric.Ladner)" > > >To: "Martin Vazquez" , shadhanker at gmx.net, > > >sudo-users at sudo.ws > > >Subject: RE: how to prevent ./* > > >Date: Wed, 12 Nov 2003 08:08:44 -0600 > > > > > > > > >How about just !XX? > > > > > >-----Original Message----- > > >From: sudo-users-bounces at sudo.ws [mailto:sudo-users-bounces at sudo.ws] On > > >Behalf Of Martin Vazquez > > >Sent: Wednesday, November 12, 2003 6:31 AM > > >To: shadhanker at gmx.net; sudo-users at sudo.ws > > >Subject: Re: how to prevent ./* > > > > > > > > > > > >Hi Rahul, > > > > > >Thank you very much for your answer. > > >Unfortunately, I did not express myself correctly in my initial mail. > > >When I > > >configure !/usr/bin/XX, then the users are still alowed to do sudo >./XX, > > > > > >because ./does not match with /usr/bin. > > > > > >Any further idea? > > > > > >Thanks again > > > > > >Martin > > > > > > >From: "Rahul" > > > >To: "Martin Vazquez" , > > > >Subject: Re: how to prevent ./* > > > >Date: Wed, 12 Nov 2003 14:41:58 +0530 > > > > > > > >Hello Martin, > > > > > > > >You can configure sudoers files with "!/usr/bin/XX > > > >But make sure that the user(whose in the sudoers file) are using $ >sudo > > > > > > >./XX [or] $ sudo /usr/bin/XX > > > > > > > >NOT just > > > > > > > >$./XX or > > > >$/usr/bin/XX > > > > > > > >Hope this helps and let me how it works. > > > > > > > >Thanks and Regards, > > > >-sadha > > > > > > > > > > > > > Can anyone tell me how to configure sudoers in order to prevent > > > > > someone > > > >from > > > > > doing ./* ? > > > > > I am trying to prevent someone from executing a command XX, so I > > > >configured > > > > > > > > > > !/usr/bin/XX > > > > > > > > > > but still that user can go and do cd /usr/bin, ./XX. > > > > > > > > > > I cannot seem to put ! ./XX in sudoers, I get a syntax error. > > > > > > > > > > Can anyone tell how to do it? > > > > > > > > > > By the way, is it possible to include subdirectories when putting > > > >wildcards? > > > > > For instance, I would like !/usr/* to prevent from doing >everything > > > >under > > > > > /usr, including subdirectories. Any idea? > > > > > > > > > > Thanks a lot > > > > > > > > > > Martin > > > > > > > > > > _________________________________________________________________ > > > > > Protect your PC - get McAfee.com VirusScan Online > > > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > > > > > > > ____________________________________________________________ > > > > > sudo-users mailing list > > > > > For list information, options, or to unsubscribe, visit: > > > > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > > > > > > > > > > >--- > > > >Outgoing mail is certified Virus Free. > > > >Checked by AVG anti-virus system (http://www.grisoft.com). > > > >Version: 6.0.534 / Virus Database: 329 - Release Date: 10/31/2003 > > > > > > > > > >_________________________________________________________________ > > >Great deals on high-speed Internet access as low as $26.95. > > >https://broadband.msn.com (Prices may vary by service area.) > > > > > >____________________________________________________________ > > >sudo-users mailing list > > >For list information, options, or to unsubscribe, visit: > > >http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > > > > _________________________________________________________________ > > Is your computer infected with a virus? Find out with a FREE computer >virus > > scan from McAfee. Take the FreeScan now! > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > ____________________________________________________________ > > sudo-users mailing list > > For list information, options, or to unsubscribe, visit: > > http://www.sudo.ws/mailman/listinfo/sudo-users > _________________________________________________________________ Crave some Miles Davis or Grateful Dead? Your old favorites are always playing on MSN Radio Plus. Trial month free! http://join.msn.com/?page=offers/premiumradio From mtrash1 at hotmail.com Wed Nov 12 12:20:50 2003 From: mtrash1 at hotmail.com (Martin Vazquez) Date: Wed, 12 Nov 2003 14:20:50 -0300 Subject: how to prevent ./* Message-ID: I completely agree. But if I want someone to be able to execute 1000 comands located under some directory, and prevent him from doing just one command in the same directory, the only way to do it is writing the 1000 commands one by one in sudoers. it shouldn't be like that. thanks >From: "Ladner, Eric (Eric.Ladner)" >To: "Howard Owen" , "Martin Vazquez" >CC: shadhanker at gmx.net, sudo-users at sudo.ws >Subject: RE: how to prevent ./* >Date: Wed, 12 Nov 2003 11:00:36 -0600 > > >IMO, it's much easier to specify scopes of what they CAN use and >restrict them to that. Like Howard said, and extrapolating that to a >general statement: If you specify something that somebody CAN'T do, >there's 1001 ways around that. If they only have a short list of what >they can do, it's easier to manage. > >Eric > >-----Original Message----- >From: Howard Owen [mailto:hbo at egbok.com] >Sent: Wednesday, November 12, 2003 10:20 AM >To: Martin Vazquez >Cc: Ladner, Eric (Eric.Ladner); shadhanker at gmx.net; sudo-users at sudo.ws >Subject: RE: how to prevent ./* > > > >From sudoers(5): > > A Cmnd_List is a list of one or more commandnames, directories, > and other aliases. A commandname is a fully qualified filename > which may include shell-style wildcards .. > >So neither the plain command name, nor ./name are permitted, since they >are not fully qualified. > >If you want to prevent a user from running /bin/ls, for example, you can >specify the full path. But as you note the user can simply copy the >executable somewhere else and run that. Since you can specify shell >"glob" expressions, you could do this: > > test2 ALL=(ALL) ALL,!/ls,!/*/ls,!/*/*/ls > >And so on down to the limit of your filesystem's nested directories. >Note however that they could name the file 'foo' and get around any such >restrictions. > >On Wed, 2003-11-12 at 11:40 -0300, Martin Vazquez wrote: > > Thanks, however, sudoers' syntax won't let me do that. > > > > > > >From: "Ladner, Eric (Eric.Ladner)" > > >To: "Martin Vazquez" , shadhanker at gmx.net, > > >sudo-users at sudo.ws > > >Subject: RE: how to prevent ./* > > >Date: Wed, 12 Nov 2003 08:08:44 -0600 > > > > > > > > >How about just !XX? > > > > > >-----Original Message----- > > >From: sudo-users-bounces at sudo.ws [mailto:sudo-users-bounces at sudo.ws] > > >On Behalf Of Martin Vazquez > > >Sent: Wednesday, November 12, 2003 6:31 AM > > >To: shadhanker at gmx.net; sudo-users at sudo.ws > > >Subject: Re: how to prevent ./* > > > > > > > > > > > >Hi Rahul, > > > > > >Thank you very much for your answer. > > >Unfortunately, I did not express myself correctly in my initial mail. > > > >When I configure !/usr/bin/XX, then the users are still alowed to do > > >sudo ./XX, > > > > > >because ./does not match with /usr/bin. > > > > > >Any further idea? > > > > > >Thanks again > > > > > >Martin > > > > > > >From: "Rahul" > > > >To: "Martin Vazquez" , > > > >Subject: Re: how to prevent ./* > > > >Date: Wed, 12 Nov 2003 14:41:58 +0530 > > > > > > > >Hello Martin, > > > > > > > >You can configure sudoers files with "!/usr/bin/XX > > > >But make sure that the user(whose in the sudoers file) are using $ > > > >sudo > > > > > > >./XX [or] $ sudo /usr/bin/XX > > > > > > > >NOT just > > > > > > > >$./XX or > > > >$/usr/bin/XX > > > > > > > >Hope this helps and let me how it works. > > > > > > > >Thanks and Regards, > > > >-sadha > > > > > > > > > > > > > Can anyone tell me how to configure sudoers in order to prevent > > > > > someone > > > >from > > > > > doing ./* ? > > > > > I am trying to prevent someone from executing a command XX, so I > > > >configured > > > > > > > > > > !/usr/bin/XX > > > > > > > > > > but still that user can go and do cd /usr/bin, ./XX. > > > > > > > > > > I cannot seem to put ! ./XX in sudoers, I get a syntax error. > > > > > > > > > > Can anyone tell how to do it? > > > > > > > > > > By the way, is it possible to include subdirectories when > > > > > putting > > > >wildcards? > > > > > For instance, I would like !/usr/* to prevent from doing > > > > > everything > > > >under > > > > > /usr, including subdirectories. Any idea? > > > > > > > > > > Thanks a lot > > > > > > > > > > Martin > > > > > > > > > > ________________________________________________________________ > > > > > _ > > > > > Protect your PC - get McAfee.com VirusScan Online > > > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > > > > > > > ____________________________________________________________ > > > > > sudo-users mailing list > > > > > For list information, options, or to unsubscribe, visit: > > > > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > > > > > > > > > > >--- > > > >Outgoing mail is certified Virus Free. > > > >Checked by AVG anti-virus system (http://www.grisoft.com). > > > >Version: 6.0.534 / Virus Database: 329 - Release Date: 10/31/2003 > > > > > > > > > >_________________________________________________________________ > > >Great deals on high-speed Internet access as low as $26.95. > > >https://broadband.msn.com (Prices may vary by service area.) > > > > > >____________________________________________________________ > > >sudo-users mailing list > > >For list information, options, or to unsubscribe, visit: > > >http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > > > > _________________________________________________________________ > > Is your computer infected with a virus? Find out with a FREE computer > > > virus > > scan from McAfee. Take the FreeScan now! > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > ____________________________________________________________ > > sudo-users mailing list > > For list information, options, or to unsubscribe, visit: > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > _________________________________________________________________ Send a QuickGreet with MSN Messenger http://www.msnmessenger-download.com/tracking/cdp_games From Eric.Ladner at chevrontexaco.com Wed Nov 12 12:31:02 2003 From: Eric.Ladner at chevrontexaco.com (Ladner, Eric (Eric.Ladner)) Date: Wed, 12 Nov 2003 11:31:02 -0600 Subject: how to prevent ./* Message-ID: <53D65D67C6AA694284F7584E25ADD354E95E24@nor935nte2k1.nor935.chevrontexaco.net> Well, I'd have to check, but I think that sudo expands all commands to a full path before checking aginst the rules (i.e. you type ./ls, $PWD is /usr/bin, so you really are executing /usr/bin/ls, then check the rules). Eric -----Original Message----- From: Martin Vazquez [mailto:mtrash1 at hotmail.com] Sent: Wednesday, November 12, 2003 11:16 AM To: hbo at egbok.com Cc: Ladner, Eric (Eric.Ladner); shadhanker at gmx.net; sudo-users at sudo.ws Subject: RE: how to prevent ./* It is a pitty that sudo does not contemplate ./*, since without it, any individual restriction you want to impose can be easily bypassed. thanks to all the answers >From: Howard Owen >To: Martin Vazquez >CC: Eric.Ladner at chevrontexaco.com, >shadhanker at gmx.net,sudo-users at sudo.ws >Subject: RE: how to prevent ./* >Date: Wed, 12 Nov 2003 08:19:32 -0800 > > >From sudoers(5): > > A Cmnd_List is a list of one or more commandnames, directories, > and other aliases. A commandname is a fully qualified filename > which may include shell-style wildcards .. > >So neither the plain command name, nor ./name are permitted, since they >are not fully qualified. > >If you want to prevent a user from running /bin/ls, for example, you >can specify the full path. But as you note the user can simply copy the >executable somewhere else and run that. Since you can specify shell >"glob" expressions, you could do this: > > test2 ALL=(ALL) ALL,!/ls,!/*/ls,!/*/*/ls > >And so on down to the limit of your filesystem's nested directories. >Note however that they could name the file 'foo' and get around any >such restrictions. > >On Wed, 2003-11-12 at 11:40 -0300, Martin Vazquez wrote: > > Thanks, however, sudoers' syntax won't let me do that. > > > > > > >From: "Ladner, Eric (Eric.Ladner)" > > >To: "Martin Vazquez" , shadhanker at gmx.net, > > >sudo-users at sudo.ws > > >Subject: RE: how to prevent ./* > > >Date: Wed, 12 Nov 2003 08:08:44 -0600 > > > > > > > > >How about just !XX? > > > > > >-----Original Message----- > > >From: sudo-users-bounces at sudo.ws > > >[mailto:sudo-users-bounces at sudo.ws] On Behalf Of Martin Vazquez > > >Sent: Wednesday, November 12, 2003 6:31 AM > > >To: shadhanker at gmx.net; sudo-users at sudo.ws > > >Subject: Re: how to prevent ./* > > > > > > > > > > > >Hi Rahul, > > > > > >Thank you very much for your answer. > > >Unfortunately, I did not express myself correctly in my initial > > >mail. When I configure !/usr/bin/XX, then the users are still > > >alowed to do sudo >./XX, > > > > > >because ./does not match with /usr/bin. > > > > > >Any further idea? > > > > > >Thanks again > > > > > >Martin > > > > > > >From: "Rahul" > > > >To: "Martin Vazquez" , > > > >Subject: Re: how to prevent ./* > > > >Date: Wed, 12 Nov 2003 14:41:58 +0530 > > > > > > > >Hello Martin, > > > > > > > >You can configure sudoers files with "!/usr/bin/XX > > > >But make sure that the user(whose in the sudoers file) are using > > > >$ >sudo > > > > > > >./XX [or] $ sudo /usr/bin/XX > > > > > > > >NOT just > > > > > > > >$./XX or > > > >$/usr/bin/XX > > > > > > > >Hope this helps and let me how it works. > > > > > > > >Thanks and Regards, > > > >-sadha > > > > > > > > > > > > > Can anyone tell me how to configure sudoers in order to > > > > > prevent someone > > > >from > > > > > doing ./* ? > > > > > I am trying to prevent someone from executing a command XX, so > > > > > I > > > >configured > > > > > > > > > > !/usr/bin/XX > > > > > > > > > > but still that user can go and do cd /usr/bin, ./XX. > > > > > > > > > > I cannot seem to put ! ./XX in sudoers, I get a syntax error. > > > > > > > > > > Can anyone tell how to do it? > > > > > > > > > > By the way, is it possible to include subdirectories when > > > > > putting > > > >wildcards? > > > > > For instance, I would like !/usr/* to prevent from doing >everything > > > >under > > > > > /usr, including subdirectories. Any idea? > > > > > > > > > > Thanks a lot > > > > > > > > > > Martin > > > > > > > > > > ______________________________________________________________ > > > > > ___ > > > > > Protect your PC - get McAfee.com VirusScan Online > > > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > > > > > > > ____________________________________________________________ > > > > > sudo-users mailing list > > > > > For list information, options, or to unsubscribe, visit: > > > > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > > > > > > > > > > >--- > > > >Outgoing mail is certified Virus Free. > > > >Checked by AVG anti-virus system (http://www.grisoft.com). > > > >Version: 6.0.534 / Virus Database: 329 - Release Date: 10/31/2003 > > > > > > > > > >_________________________________________________________________ > > >Great deals on high-speed Internet access as low as $26.95. > > >https://broadband.msn.com (Prices may vary by service area.) > > > > > >____________________________________________________________ > > >sudo-users mailing list > > >For list information, options, or to unsubscribe, visit: > > >http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > > > > _________________________________________________________________ > > Is your computer infected with a virus? Find out with a FREE > > computer >virus > > scan from McAfee. Take the FreeScan now! > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > ____________________________________________________________ > > sudo-users mailing list > > For list information, options, or to unsubscribe, visit: > > http://www.sudo.ws/mailman/listinfo/sudo-users > _________________________________________________________________ Crave some Miles Davis or Grateful Dead? Your old favorites are always playing on MSN Radio Plus. Trial month free! http://join.msn.com/?page=offers/premiumradio From Eric.Ladner at chevrontexaco.com Wed Nov 12 12:31:57 2003 From: Eric.Ladner at chevrontexaco.com (Ladner, Eric (Eric.Ladner)) Date: Wed, 12 Nov 2003 11:31:57 -0600 Subject: how to prevent ./* Message-ID: <53D65D67C6AA694284F7584E25ADD354E95E25@nor935nte2k1.nor935.chevrontexaco.net> Or you could move that command to another directory. ;) E -----Original Message----- From: Martin Vazquez [mailto:mtrash1 at hotmail.com] Sent: Wednesday, November 12, 2003 11:21 AM To: Ladner, Eric (Eric.Ladner); hbo at egbok.com Cc: shadhanker at gmx.net; sudo-users at sudo.ws Subject: RE: how to prevent ./* I completely agree. But if I want someone to be able to execute 1000 comands located under some directory, and prevent him from doing just one command in the same directory, the only way to do it is writing the 1000 commands one by one in sudoers. it shouldn't be like that. thanks >From: "Ladner, Eric (Eric.Ladner)" >To: "Howard Owen" , "Martin Vazquez" > >CC: shadhanker at gmx.net, sudo-users at sudo.ws >Subject: RE: how to prevent ./* >Date: Wed, 12 Nov 2003 11:00:36 -0600 > > >IMO, it's much easier to specify scopes of what they CAN use and >restrict them to that. Like Howard said, and extrapolating that to a >general statement: If you specify something that somebody CAN'T do, >there's 1001 ways around that. If they only have a short list of what >they can do, it's easier to manage. > >Eric > >-----Original Message----- >From: Howard Owen [mailto:hbo at egbok.com] >Sent: Wednesday, November 12, 2003 10:20 AM >To: Martin Vazquez >Cc: Ladner, Eric (Eric.Ladner); shadhanker at gmx.net; sudo-users at sudo.ws >Subject: RE: how to prevent ./* > > > >From sudoers(5): > > A Cmnd_List is a list of one or more commandnames, directories, > and other aliases. A commandname is a fully qualified filename > which may include shell-style wildcards .. > >So neither the plain command name, nor ./name are permitted, since they >are not fully qualified. > >If you want to prevent a user from running /bin/ls, for example, you >can specify the full path. But as you note the user can simply copy the >executable somewhere else and run that. Since you can specify shell >"glob" expressions, you could do this: > > test2 ALL=(ALL) ALL,!/ls,!/*/ls,!/*/*/ls > >And so on down to the limit of your filesystem's nested directories. >Note however that they could name the file 'foo' and get around any >such restrictions. > >On Wed, 2003-11-12 at 11:40 -0300, Martin Vazquez wrote: > > Thanks, however, sudoers' syntax won't let me do that. > > > > > > >From: "Ladner, Eric (Eric.Ladner)" > > >To: "Martin Vazquez" , shadhanker at gmx.net, > > >sudo-users at sudo.ws > > >Subject: RE: how to prevent ./* > > >Date: Wed, 12 Nov 2003 08:08:44 -0600 > > > > > > > > >How about just !XX? > > > > > >-----Original Message----- > > >From: sudo-users-bounces at sudo.ws > > >[mailto:sudo-users-bounces at sudo.ws] > > >On Behalf Of Martin Vazquez > > >Sent: Wednesday, November 12, 2003 6:31 AM > > >To: shadhanker at gmx.net; sudo-users at sudo.ws > > >Subject: Re: how to prevent ./* > > > > > > > > > > > >Hi Rahul, > > > > > >Thank you very much for your answer. > > >Unfortunately, I did not express myself correctly in my initial > > >mail. > > > >When I configure !/usr/bin/XX, then the users are still alowed to > > >do sudo ./XX, > > > > > >because ./does not match with /usr/bin. > > > > > >Any further idea? > > > > > >Thanks again > > > > > >Martin > > > > > > >From: "Rahul" > > > >To: "Martin Vazquez" , > > > >Subject: Re: how to prevent ./* > > > >Date: Wed, 12 Nov 2003 14:41:58 +0530 > > > > > > > >Hello Martin, > > > > > > > >You can configure sudoers files with "!/usr/bin/XX > > > >But make sure that the user(whose in the sudoers file) are using > > > >$ sudo > > > > > > >./XX [or] $ sudo /usr/bin/XX > > > > > > > >NOT just > > > > > > > >$./XX or > > > >$/usr/bin/XX > > > > > > > >Hope this helps and let me how it works. > > > > > > > >Thanks and Regards, > > > >-sadha > > > > > > > > > > > > > Can anyone tell me how to configure sudoers in order to > > > > > prevent someone > > > >from > > > > > doing ./* ? > > > > > I am trying to prevent someone from executing a command XX, so > > > > > I > > > >configured > > > > > > > > > > !/usr/bin/XX > > > > > > > > > > but still that user can go and do cd /usr/bin, ./XX. > > > > > > > > > > I cannot seem to put ! ./XX in sudoers, I get a syntax error. > > > > > > > > > > Can anyone tell how to do it? > > > > > > > > > > By the way, is it possible to include subdirectories when > > > > > putting > > > >wildcards? > > > > > For instance, I would like !/usr/* to prevent from doing > > > > > everything > > > >under > > > > > /usr, including subdirectories. Any idea? > > > > > > > > > > Thanks a lot > > > > > > > > > > Martin > > > > > > > > > > ______________________________________________________________ > > > > > __ > > > > > _ > > > > > Protect your PC - get McAfee.com VirusScan Online > > > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > > > > > > > ____________________________________________________________ > > > > > sudo-users mailing list > > > > > For list information, options, or to unsubscribe, visit: > > > > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > > > > > > > > > > >--- > > > >Outgoing mail is certified Virus Free. > > > >Checked by AVG anti-virus system (http://www.grisoft.com). > > > >Version: 6.0.534 / Virus Database: 329 - Release Date: 10/31/2003 > > > > > > > > > >_________________________________________________________________ > > >Great deals on high-speed Internet access as low as $26.95. > > >https://broadband.msn.com (Prices may vary by service area.) > > > > > >____________________________________________________________ > > >sudo-users mailing list > > >For list information, options, or to unsubscribe, visit: > > >http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > > > > _________________________________________________________________ > > Is your computer infected with a virus? Find out with a FREE > > computer > > > virus > > scan from McAfee. Take the FreeScan now! > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > ____________________________________________________________ > > sudo-users mailing list > > For list information, options, or to unsubscribe, visit: > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > _________________________________________________________________ Send a QuickGreet with MSN Messenger http://www.msnmessenger-download.com/tracking/cdp_games From hbo at egbok.com Wed Nov 12 13:38:57 2003 From: hbo at egbok.com (Howard Owen) Date: Wed, 12 Nov 2003 10:38:57 -0800 Subject: how to prevent ./* In-Reply-To: <53D65D67C6AA694284F7584E25ADD354E95E24@nor935nte2k1.nor935.chevrontexaco.net> References: <53D65D67C6AA694284F7584E25ADD354E95E24@nor935nte2k1.nor935.chevrontexaco.net> Message-ID: <1068662336.13435.33.camel@quirk.cisco.com> On Wed, 2003-11-12 at 09:31, Ladner, Eric (Eric.Ladner) wrote: > Well, I'd have to check, but I think that sudo expands all commands to a > full path before checking aginst the rules (i.e. you type ./ls, $PWD is > /usr/bin, so you really are executing /usr/bin/ls, then check the > rules). > That's true: hbo at owen|1027> su - test2 Password: -bash-2.05b$ sudo grep test2 /etc/sudoers Password: test2 ALL=(ALL) ALL,!/bin/ls -bash-2.05b$ cd /bin -bash-2.05b$ ./ls .. (listing) .. -bash-2.05b$ sudo ./ls Sorry, user test2 is not allowed to execute './ls' as root on owen.egbok.com. > Eric > > -----Original Message----- > From: Martin Vazquez [mailto:mtrash1 at hotmail.com] > Sent: Wednesday, November 12, 2003 11:16 AM > To: hbo at egbok.com > Cc: Ladner, Eric (Eric.Ladner); shadhanker at gmx.net; sudo-users at sudo.ws > Subject: RE: how to prevent ./* > > > > It is a pitty that sudo does not contemplate ./*, since without it, any > individual restriction you want to impose can be easily bypassed. > > thanks to all the answers > > > > > >From: Howard Owen > >To: Martin Vazquez > >CC: Eric.Ladner at chevrontexaco.com, > >shadhanker at gmx.net,sudo-users at sudo.ws > >Subject: RE: how to prevent ./* > >Date: Wed, 12 Nov 2003 08:19:32 -0800 > > > > >From sudoers(5): > > > > A Cmnd_List is a list of one or more commandnames, directories, > > and other aliases. A commandname is a fully qualified filename > > which may include shell-style wildcards .. > > > >So neither the plain command name, nor ./name are permitted, since they > > >are not fully qualified. > > > >If you want to prevent a user from running /bin/ls, for example, you > >can specify the full path. But as you note the user can simply copy the > > >executable somewhere else and run that. Since you can specify shell > >"glob" expressions, you could do this: > > > > test2 ALL=(ALL) ALL,!/ls,!/*/ls,!/*/*/ls > > > >And so on down to the limit of your filesystem's nested directories. > >Note however that they could name the file 'foo' and get around any > >such restrictions. > > > >On Wed, 2003-11-12 at 11:40 -0300, Martin Vazquez wrote: > > > Thanks, however, sudoers' syntax won't let me do that. > > > > > > > > > >From: "Ladner, Eric (Eric.Ladner)" > > > >To: "Martin Vazquez" , shadhanker at gmx.net, > > > >sudo-users at sudo.ws > > > >Subject: RE: how to prevent ./* > > > >Date: Wed, 12 Nov 2003 08:08:44 -0600 > > > > > > > > > > > >How about just !XX? > > > > > > > >-----Original Message----- > > > >From: sudo-users-bounces at sudo.ws > > > >[mailto:sudo-users-bounces at sudo.ws] On Behalf Of Martin Vazquez > > > >Sent: Wednesday, November 12, 2003 6:31 AM > > > >To: shadhanker at gmx.net; sudo-users at sudo.ws > > > >Subject: Re: how to prevent ./* > > > > > > > > > > > > > > > >Hi Rahul, > > > > > > > >Thank you very much for your answer. > > > >Unfortunately, I did not express myself correctly in my initial > > > >mail. When I configure !/usr/bin/XX, then the users are still > > > >alowed to do sudo > >./XX, > > > > > > > >because ./does not match with /usr/bin. > > > > > > > >Any further idea? > > > > > > > >Thanks again > > > > > > > >Martin > > > > > > > > >From: "Rahul" > > > > >To: "Martin Vazquez" , > > > > >Subject: Re: how to prevent ./* > > > > >Date: Wed, 12 Nov 2003 14:41:58 +0530 > > > > > > > > > >Hello Martin, > > > > > > > > > >You can configure sudoers files with "!/usr/bin/XX > > > > >But make sure that the user(whose in the sudoers file) are using > > > > >$ > >sudo > > > > > > > > >./XX [or] $ sudo /usr/bin/XX > > > > > > > > > >NOT just > > > > > > > > > >$./XX or > > > > >$/usr/bin/XX > > > > > > > > > >Hope this helps and let me how it works. > > > > > > > > > >Thanks and Regards, > > > > >-sadha > > > > > > > > > > > > > > > > Can anyone tell me how to configure sudoers in order to > > > > > > prevent someone > > > > >from > > > > > > doing ./* ? > > > > > > I am trying to prevent someone from executing a command XX, so > > > > > > > I > > > > >configured > > > > > > > > > > > > !/usr/bin/XX > > > > > > > > > > > > but still that user can go and do cd /usr/bin, ./XX. > > > > > > > > > > > > I cannot seem to put ! ./XX in sudoers, I get a syntax error. > > > > > > > > > > > > Can anyone tell how to do it? > > > > > > > > > > > > By the way, is it possible to include subdirectories when > > > > > > putting > > > > >wildcards? > > > > > > For instance, I would like !/usr/* to prevent from doing > >everything > > > > >under > > > > > > /usr, including subdirectories. Any idea? > > > > > > > > > > > > Thanks a lot > > > > > > > > > > > > Martin > > > > > > > > > > > > ______________________________________________________________ > > > > > > ___ > > > > > > Protect your PC - get McAfee.com VirusScan Online > > > > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > > > > > > > > > ____________________________________________________________ > > > > > > sudo-users mailing list > > > > > > For list information, options, or to unsubscribe, visit: > > > > > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > > > > > > > > > > > > > > >--- > > > > >Outgoing mail is certified Virus Free. > > > > >Checked by AVG anti-virus system (http://www.grisoft.com). > > > > >Version: 6.0.534 / Virus Database: 329 - Release Date: 10/31/2003 > > > > > > > > > > > > >_________________________________________________________________ > > > >Great deals on high-speed Internet access as low as $26.95. > > > >https://broadband.msn.com (Prices may vary by service area.) > > > > > > > >____________________________________________________________ > > > >sudo-users mailing list > > > >For list information, options, or to unsubscribe, visit: > > > >http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > > > > > > > > _________________________________________________________________ > > > Is your computer infected with a virus? Find out with a FREE > > > computer > >virus > > > scan from McAfee. Take the FreeScan now! > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > > > ____________________________________________________________ > > > sudo-users mailing list > > > For list information, options, or to unsubscribe, visit: > > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > _________________________________________________________________ > Crave some Miles Davis or Grateful Dead? Your old favorites are always > playing on MSN Radio Plus. Trial month free! > http://join.msn.com/?page=offers/premiumradio > -- Howard Owen "Even if you are on the right EGBOK Consultants track, you'll get run over if you hbo at egbok.com +1-650-339-5733 just sit there." - Will Rogers From mtrash1 at hotmail.com Wed Nov 12 14:36:23 2003 From: mtrash1 at hotmail.com (Martin Vazquez) Date: Wed, 12 Nov 2003 16:36:23 -0300 Subject: how to prevent ./* Message-ID: Please forgive me for being so insistent. I did not want to make too many explanations before because I wanted to make it simple. I need to allow a certain user to copy and edit as root a lot of files, but I don't want him to either copy or edit for example files under /usr/bin, or /etc/shadow. When I do : test ALL= /usr/bin/cp, !/usr/bin/cp /etc/shadow bash-2.03$ sudo cp /etc/shadow $HOME Sorry, user alcatel is not allowed to execute '/usr/bin/cp /etc/shadow /opt/netmgt/users/alcatel' as root on delserva5. bash-2.03$ cd /usr/bin bash-2.03$ sudo ./cp /etc/shadow $HOME bash-2.03$ and the copy is done. I think that in that case the ./ is not expended, could that be possible? Any ideas?? >From: Howard Owen >To: "Ladner, Eric (Eric.Ladner)" >CC: Martin Vazquez , shadhanker at gmx.net, >sudo-users at sudo.ws >Subject: RE: how to prevent ./* >Date: Wed, 12 Nov 2003 10:38:57 -0800 > > >On Wed, 2003-11-12 at 09:31, Ladner, Eric (Eric.Ladner) wrote: > > Well, I'd have to check, but I think that sudo expands all commands to a > > full path before checking aginst the rules (i.e. you type ./ls, $PWD is > > /usr/bin, so you really are executing /usr/bin/ls, then check the > > rules). > > > >That's true: > >hbo at owen|1027> su - test2 >Password: >-bash-2.05b$ sudo grep test2 /etc/sudoers >Password: >test2 ALL=(ALL) ALL,!/bin/ls >-bash-2.05b$ cd /bin >-bash-2.05b$ ./ls >.. (listing) .. >-bash-2.05b$ sudo ./ls >Sorry, user test2 is not allowed to execute './ls' as root on >owen.egbok.com. > > > > > Eric > > > > -----Original Message----- > > From: Martin Vazquez [mailto:mtrash1 at hotmail.com] > > Sent: Wednesday, November 12, 2003 11:16 AM > > To: hbo at egbok.com > > Cc: Ladner, Eric (Eric.Ladner); shadhanker at gmx.net; sudo-users at sudo.ws > > Subject: RE: how to prevent ./* > > > > > > > > It is a pitty that sudo does not contemplate ./*, since without it, any > > individual restriction you want to impose can be easily bypassed. > > > > thanks to all the answers > > > > > > > > > > >From: Howard Owen > > >To: Martin Vazquez > > >CC: Eric.Ladner at chevrontexaco.com, > > >shadhanker at gmx.net,sudo-users at sudo.ws > > >Subject: RE: how to prevent ./* > > >Date: Wed, 12 Nov 2003 08:19:32 -0800 > > > > > > >From sudoers(5): > > > > > > A Cmnd_List is a list of one or more commandnames, directories, > > > and other aliases. A commandname is a fully qualified filename > > > which may include shell-style wildcards .. > > > > > >So neither the plain command name, nor ./name are permitted, since they > > > > >are not fully qualified. > > > > > >If you want to prevent a user from running /bin/ls, for example, you > > >can specify the full path. But as you note the user can simply copy the > > > > >executable somewhere else and run that. Since you can specify shell > > >"glob" expressions, you could do this: > > > > > > test2 ALL=(ALL) ALL,!/ls,!/*/ls,!/*/*/ls > > > > > >And so on down to the limit of your filesystem's nested directories. > > >Note however that they could name the file 'foo' and get around any > > >such restrictions. > > > > > >On Wed, 2003-11-12 at 11:40 -0300, Martin Vazquez wrote: > > > > Thanks, however, sudoers' syntax won't let me do that. > > > > > > > > > > > > >From: "Ladner, Eric (Eric.Ladner)" > > > > >To: "Martin Vazquez" , shadhanker at gmx.net, > > > > >sudo-users at sudo.ws > > > > >Subject: RE: how to prevent ./* > > > > >Date: Wed, 12 Nov 2003 08:08:44 -0600 > > > > > > > > > > > > > > >How about just !XX? > > > > > > > > > >-----Original Message----- > > > > >From: sudo-users-bounces at sudo.ws > > > > >[mailto:sudo-users-bounces at sudo.ws] On Behalf Of Martin Vazquez > > > > >Sent: Wednesday, November 12, 2003 6:31 AM > > > > >To: shadhanker at gmx.net; sudo-users at sudo.ws > > > > >Subject: Re: how to prevent ./* > > > > > > > > > > > > > > > > > > > >Hi Rahul, > > > > > > > > > >Thank you very much for your answer. > > > > >Unfortunately, I did not express myself correctly in my initial > > > > >mail. When I configure !/usr/bin/XX, then the users are still > > > > >alowed to do sudo > > >./XX, > > > > > > > > > >because ./does not match with /usr/bin. > > > > > > > > > >Any further idea? > > > > > > > > > >Thanks again > > > > > > > > > >Martin > > > > > > > > > > >From: "Rahul" > > > > > >To: "Martin Vazquez" , > > > > > >Subject: Re: how to prevent ./* > > > > > >Date: Wed, 12 Nov 2003 14:41:58 +0530 > > > > > > > > > > > >Hello Martin, > > > > > > > > > > > >You can configure sudoers files with "!/usr/bin/XX > > > > > >But make sure that the user(whose in the sudoers file) are using > > > > > >$ > > >sudo > > > > > > > > > > >./XX [or] $ sudo /usr/bin/XX > > > > > > > > > > > >NOT just > > > > > > > > > > > >$./XX or > > > > > >$/usr/bin/XX > > > > > > > > > > > >Hope this helps and let me how it works. > > > > > > > > > > > >Thanks and Regards, > > > > > >-sadha > > > > > > > > > > > > > > > > > > > Can anyone tell me how to configure sudoers in order to > > > > > > > prevent someone > > > > > >from > > > > > > > doing ./* ? > > > > > > > I am trying to prevent someone from executing a command XX, so > > > > > > > > > I > > > > > >configured > > > > > > > > > > > > > > !/usr/bin/XX > > > > > > > > > > > > > > but still that user can go and do cd /usr/bin, ./XX. > > > > > > > > > > > > > > I cannot seem to put ! ./XX in sudoers, I get a syntax error. > > > > > > > > > > > > > > Can anyone tell how to do it? > > > > > > > > > > > > > > By the way, is it possible to include subdirectories when > > > > > > > putting > > > > > >wildcards? > > > > > > > For instance, I would like !/usr/* to prevent from doing > > >everything > > > > > >under > > > > > > > /usr, including subdirectories. Any idea? > > > > > > > > > > > > > > Thanks a lot > > > > > > > > > > > > > > Martin > > > > > > > > > > > > > > ______________________________________________________________ > > > > > > > ___ > > > > > > > Protect your PC - get McAfee.com VirusScan Online > > > > > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > > > > > > > > > > > ____________________________________________________________ > > > > > > > sudo-users mailing list > > > > > > > For list information, options, or to unsubscribe, visit: > > > > > > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > > > > > > > > > > > > > > > > > > >--- > > > > > >Outgoing mail is certified Virus Free. > > > > > >Checked by AVG anti-virus system (http://www.grisoft.com). > > > > > >Version: 6.0.534 / Virus Database: 329 - Release Date: 10/31/2003 > > > > > > > > > > > > > > > >_________________________________________________________________ > > > > >Great deals on high-speed Internet access as low as $26.95. > > > > >https://broadband.msn.com (Prices may vary by service area.) > > > > > > > > > >____________________________________________________________ > > > > >sudo-users mailing list > > > > >For list information, options, or to unsubscribe, visit: > > > > >http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > > > > > > > > > > > > _________________________________________________________________ > > > > Is your computer infected with a virus? Find out with a FREE > > > > computer > > >virus > > > > scan from McAfee. Take the FreeScan now! > > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > > > > > ____________________________________________________________ > > > > sudo-users mailing list > > > > For list information, options, or to unsubscribe, visit: > > > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > _________________________________________________________________ > > Crave some Miles Davis or Grateful Dead? Your old favorites are always > > playing on MSN Radio Plus. Trial month free! > > http://join.msn.com/?page=offers/premiumradio > > >-- >Howard Owen "Even if you are on the right >EGBOK Consultants track, you'll get run over if you >hbo at egbok.com +1-650-339-5733 just sit there." - Will Rogers > > _________________________________________________________________ MSN Messenger with backgrounds, emoticons and more. http://www.msnmessenger-download.com/tracking/cdp_customize From hbo at egbok.com Wed Nov 12 15:13:41 2003 From: hbo at egbok.com (Howard Owen) Date: Wed, 12 Nov 2003 12:13:41 -0800 Subject: how to prevent ./* In-Reply-To: References: Message-ID: <1068668020.13435.66.camel@quirk.cisco.com> Doesn't work that way for me: hbo at owen|1043> sudo grep test2 /etc/sudoers test2 ALL= /bin/cp, !/bin/cp /etc/shadow hbo at owen|1044> su - test2 Password: -bash-2.05b$ sudo cp /etc/shadow . Password: -bash-2.05b$ sudo /bin/cp /etc/shadow . -bash-2.05b$ sudo -V Sudo version 1.6.6 -bash-2.05b$ rm -f shadow It looks like it's taking the first match. On Wed, 2003-11-12 at 11:36, Martin Vazquez wrote: > Please forgive me for being so insistent. I did not want to make too many > explanations before because I wanted to make it simple. > > I need to allow a certain user to copy and edit as root a lot of files, but > I don't want him to either copy or edit for example files under /usr/bin, or > /etc/shadow. > > When I do : test ALL= /usr/bin/cp, !/usr/bin/cp /etc/shadow > > bash-2.03$ sudo cp /etc/shadow $HOME > Sorry, user alcatel is not allowed to execute '/usr/bin/cp /etc/shadow > /opt/netmgt/users/alcatel' as root on delserva5. > bash-2.03$ cd /usr/bin > bash-2.03$ sudo ./cp /etc/shadow $HOME > bash-2.03$ > > and the copy is done. > > > I think that in that case the ./ is not expended, could that be possible? > > Any ideas?? > > > > >From: Howard Owen > >To: "Ladner, Eric (Eric.Ladner)" > >CC: Martin Vazquez , shadhanker at gmx.net, > >sudo-users at sudo.ws > >Subject: RE: how to prevent ./* > >Date: Wed, 12 Nov 2003 10:38:57 -0800 > > > > > >On Wed, 2003-11-12 at 09:31, Ladner, Eric (Eric.Ladner) wrote: > > > Well, I'd have to check, but I think that sudo expands all commands to a > > > full path before checking aginst the rules (i.e. you type ./ls, $PWD is > > > /usr/bin, so you really are executing /usr/bin/ls, then check the > > > rules). > > > > > > >That's true: > > > >hbo at owen|1027> su - test2 > >Password: > >-bash-2.05b$ sudo grep test2 /etc/sudoers > >Password: > >test2 ALL=(ALL) ALL,!/bin/ls > >-bash-2.05b$ cd /bin > >-bash-2.05b$ ./ls > >.. (listing) .. > >-bash-2.05b$ sudo ./ls > >Sorry, user test2 is not allowed to execute './ls' as root on > >owen.egbok.com. > > > > > > > > > Eric > > > > > > -----Original Message----- > > > From: Martin Vazquez [mailto:mtrash1 at hotmail.com] > > > Sent: Wednesday, November 12, 2003 11:16 AM > > > To: hbo at egbok.com > > > Cc: Ladner, Eric (Eric.Ladner); shadhanker at gmx.net; sudo-users at sudo.ws > > > Subject: RE: how to prevent ./* > > > > > > > > > > > > It is a pitty that sudo does not contemplate ./*, since without it, any > > > individual restriction you want to impose can be easily bypassed. > > > > > > thanks to all the answers > > > > > > > > > > > > > > > >From: Howard Owen > > > >To: Martin Vazquez > > > >CC: Eric.Ladner at chevrontexaco.com, > > > >shadhanker at gmx.net,sudo-users at sudo.ws > > > >Subject: RE: how to prevent ./* > > > >Date: Wed, 12 Nov 2003 08:19:32 -0800 > > > > > > > > >From sudoers(5): > > > > > > > > A Cmnd_List is a list of one or more commandnames, directories, > > > > and other aliases. A commandname is a fully qualified filename > > > > which may include shell-style wildcards .. > > > > > > > >So neither the plain command name, nor ./name are permitted, since they > > > > > > >are not fully qualified. > > > > > > > >If you want to prevent a user from running /bin/ls, for example, you > > > >can specify the full path. But as you note the user can simply copy the > > > > > > >executable somewhere else and run that. Since you can specify shell > > > >"glob" expressions, you could do this: > > > > > > > > test2 ALL=(ALL) ALL,!/ls,!/*/ls,!/*/*/ls > > > > > > > >And so on down to the limit of your filesystem's nested directories. > > > >Note however that they could name the file 'foo' and get around any > > > >such restrictions. > > > > > > > >On Wed, 2003-11-12 at 11:40 -0300, Martin Vazquez wrote: > > > > > Thanks, however, sudoers' syntax won't let me do that. > > > > > > > > > > > > > > > >From: "Ladner, Eric (Eric.Ladner)" > > > > > >To: "Martin Vazquez" , shadhanker at gmx.net, > > > > > >sudo-users at sudo.ws > > > > > >Subject: RE: how to prevent ./* > > > > > >Date: Wed, 12 Nov 2003 08:08:44 -0600 > > > > > > > > > > > > > > > > > >How about just !XX? > > > > > > > > > > > >-----Original Message----- > > > > > >From: sudo-users-bounces at sudo.ws > > > > > >[mailto:sudo-users-bounces at sudo.ws] On Behalf Of Martin Vazquez > > > > > >Sent: Wednesday, November 12, 2003 6:31 AM > > > > > >To: shadhanker at gmx.net; sudo-users at sudo.ws > > > > > >Subject: Re: how to prevent ./* > > > > > > > > > > > > > > > > > > > > > > > >Hi Rahul, > > > > > > > > > > > >Thank you very much for your answer. > > > > > >Unfortunately, I did not express myself correctly in my initial > > > > > >mail. When I configure !/usr/bin/XX, then the users are still > > > > > >alowed to do sudo > > > >./XX, > > > > > > > > > > > >because ./does not match with /usr/bin. > > > > > > > > > > > >Any further idea? > > > > > > > > > > > >Thanks again > > > > > > > > > > > >Martin > > > > > > > > > > > > >From: "Rahul" > > > > > > >To: "Martin Vazquez" , > > > > > > >Subject: Re: how to prevent ./* > > > > > > >Date: Wed, 12 Nov 2003 14:41:58 +0530 > > > > > > > > > > > > > >Hello Martin, > > > > > > > > > > > > > >You can configure sudoers files with "!/usr/bin/XX > > > > > > >But make sure that the user(whose in the sudoers file) are using > > > > > > >$ > > > >sudo > > > > > > > > > > > > >./XX [or] $ sudo /usr/bin/XX > > > > > > > > > > > > > >NOT just > > > > > > > > > > > > > >$./XX or > > > > > > >$/usr/bin/XX > > > > > > > > > > > > > >Hope this helps and let me how it works. > > > > > > > > > > > > > >Thanks and Regards, > > > > > > >-sadha > > > > > > > > > > > > > > > > > > > > > > Can anyone tell me how to configure sudoers in order to > > > > > > > > prevent someone > > > > > > >from > > > > > > > > doing ./* ? > > > > > > > > I am trying to prevent someone from executing a command XX, so > > > > > > > > > > > I > > > > > > >configured > > > > > > > > > > > > > > > > !/usr/bin/XX > > > > > > > > > > > > > > > > but still that user can go and do cd /usr/bin, ./XX. > > > > > > > > > > > > > > > > I cannot seem to put ! ./XX in sudoers, I get a syntax error. > > > > > > > > > > > > > > > > Can anyone tell how to do it? > > > > > > > > > > > > > > > > By the way, is it possible to include subdirectories when > > > > > > > > putting > > > > > > >wildcards? > > > > > > > > For instance, I would like !/usr/* to prevent from doing > > > >everything > > > > > > >under > > > > > > > > /usr, including subdirectories. Any idea? > > > > > > > > > > > > > > > > Thanks a lot > > > > > > > > > > > > > > > > Martin > > > > > > > > > > > > > > > > ______________________________________________________________ > > > > > > > > ___ > > > > > > > > Protect your PC - get McAfee.com VirusScan Online > > > > > > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > > > > > > > > > > > > > ____________________________________________________________ > > > > > > > > sudo-users mailing list > > > > > > > > For list information, options, or to unsubscribe, visit: > > > > > > > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > >--- > > > > > > >Outgoing mail is certified Virus Free. > > > > > > >Checked by AVG anti-virus system (http://www.grisoft.com). > > > > > > >Version: 6.0.534 / Virus Database: 329 - Release Date: 10/31/2003 > > > > > > > > > > > > > > > > > > >_________________________________________________________________ > > > > > >Great deals on high-speed Internet access as low as $26.95. > > > > > >https://broadband.msn.com (Prices may vary by service area.) > > > > > > > > > > > >____________________________________________________________ > > > > > >sudo-users mailing list > > > > > >For list information, options, or to unsubscribe, visit: > > > > > >http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > > > > > > > > > > > > > > > > _________________________________________________________________ > > > > > Is your computer infected with a virus? Find out with a FREE > > > > > computer > > > >virus > > > > > scan from McAfee. Take the FreeScan now! > > > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > > > > > > > ____________________________________________________________ > > > > > sudo-users mailing list > > > > > For list information, options, or to unsubscribe, visit: > > > > > http://www.sudo.ws/mailman/listinfo/sudo-users > > > > > > > > > > _________________________________________________________________ > > > Crave some Miles Davis or Grateful Dead? Your old favorites are always > > > playing on MSN Radio Plus. Trial month free! > > > http://join.msn.com/?page=offers/premiumradio > > > > >-- > >Howard Owen "Even if you are on the right > >EGBOK Consultants track, you'll get run over if you > >hbo at egbok.com +1-650-339-5733 just sit there." - Will Rogers > > > > > > _________________________________________________________________ > MSN Messenger with backgrounds, emoticons and more. > http://www.msnmessenger-download.com/tracking/cdp_customize -- Howard Owen "Even if you are on the right EGBOK Consultants track, you'll get run over if you hbo at egbok.com +1-650-339-5733 just sit there." - Will Rogers From Todd.Miller at courtesan.com Wed Nov 12 16:16:58 2003 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 12 Nov 2003 14:16:58 -0700 Subject: how to prevent ./* In-Reply-To: Your message of "Tue, 11 Nov 2003 09:15:47 -0300." References: Message-ID: <200311122116.hACLGwbi027511@xerxes.courtesan.com> Matching is done based on the inode and device numbers. Therefore, if a user is allowed to run /bin/ls, "cd /bin ; sudo ./ls" will also work (since it is the same binary). This is done to prevent problems with NFS automounters. That doesn't mean that (in this exmaple), "sudo ./ls" will work for _any_ "./ls" (unless you allow the user to run ALL). What are you really trying to prevent? If you want to allow a user to run anything but certain commands you are really going about it the wrong way since there will always be a away around the restrictions you impose (--infinity is still infinity). You would be much better off enumerating the commands you want the user to be able to run. - todd From Todd.Miller at courtesan.com Wed Nov 12 16:22:44 2003 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 12 Nov 2003 14:22:44 -0700 Subject: how to prevent ./* In-Reply-To: Your message of "Wed, 12 Nov 2003 16:36:23 -0300." References: Message-ID: <200311122122.hACLMibi021954@xerxes.courtesan.com> First of all, your '!' entry will only match "cp /etc/shadow", not "cp /etc/shadow somewhere_else". You could fix that by: test ALL = /usr/bin/cp, !/usr/bin/cp /etc/shadow* But this is trivial to defeat by: cp -f /etc/shadow $HOME There's just no easy way to do what you want--there are too many ways to work around it (think symlinks). - todd From sudo-users at courtesan.com Wed Nov 12 20:47:19 2003 From: sudo-users at courtesan.com (james) Date: Wed, 12 Nov 2003 20:47:19 -0500 Subject: Gener.ic Cia.lis - Lasts 2 times longer then Via.gra! Message-ID: <017d01c3a988$1425fd1e$b400a8c0@OFFICE> S.URPRISE YOUR W.IFE TODAY! How w.ould you like A ROCK H.ARD ERE.CTION? With C.ialis.. you can! * L.ASTS LONGER THEN ANY COM.PETATOR * G.ENERIC CIAL.IS STARTS WORKING UP_TO TWIC.E AS FAST AS V.IAGRA * PRODUCE ST.RONGER E.RECTIONS * HAVE A STRONGER 5.EXUAL DESIRE * 1.NCREASED S.E..XUAL STAMINA * C.ONFIDENTIAL DISCR.ETE ACKAGING [1]FULLY DO.CTOR APP.ROVED . L.EARN MOR.E! NOT SAT1SFIED? GET 100% OF YOUR M.ONEY BAC.K! To be r3m0v3d from our list, [2]Here bte1o4Z220c63631E6387k053598v4v115pu292v91Qp1F504o6x778Q6G7x pa4TFtu7QFl71793434S04Q072ua8180F0S7w29Ibte1o4Z220c63631E638 7k053598v4v115pu292v91Qp1F504o The nostalgia the Bryan showed made me rather sad, so I decided to bring him home. Amber can be quite amiable when she wants to be. 6x778Q6G7xpa4TFtu7QFl71793434S04Q072ua8180F0S7w29Ibte1o4Z220c63631E638 7k053598v4v115pu292v 91Qp1F504o6x778Q6G7xpa4TFtu7QF The nostalgia the Bryan showed made me rather sad, so I decided to bring him home.The nostalgia the Bryan showed made me rather sad, so I decided to bring him home.Amber can be quite amiable when she wants to be.The nostalgia the Bryan showed made me rather sad, so I decided to bring him home. References 1. http://203.197.204.155/wkp/index.php?man=boq20 2. http://203.197.204.155/our/ From angie.vonderohe at merix.com Wed Nov 12 21:00:14 2003 From: angie.vonderohe at merix.com (Vonderohe, Angie) Date: Wed, 12 Nov 2003 18:00:14 -0800 Subject: Out of Office AutoReply: Gener.ic Cia.lis - Lasts 2 times longer then Via.gra! Message-ID: <9268B357A320D511B61A0002A507CE5E049BB1DF@fgmail01.merix.com> I will be out of the office on Wednesday, November 12th. Will return on Thursday. Angie From brenton_clayton_qw at kali.com.cn Thu Nov 13 03:12:11 2003 From: brenton_clayton_qw at kali.com.cn (Brenton Clayton) Date: Thu, 13 Nov 2003 08:12:11 +0000 Subject: Buy Cheap Sildenafil Citrate . Internet Special! Message-ID: <1068711131.0881@kali.com.cn> [1][gv1.gif] References 1. http://www.tyewe92.com/host/default.asp?ID=omni From aaron at spangler.ods.org Mon Nov 17 22:24:27 2003 From: aaron at spangler.ods.org (Aaron Spangler) Date: Mon, 17 Nov 2003 22:24:27 -0500 Subject: Sudo/LDAP patch into CVS? Message-ID: <200311172224.27629.aaron@spangler.ods.org> Hello? On Tuesday 11 November 2003 7:19 pm, Aaron Spangler wrote: > Todd, you still there? I haven't heard much out of you since I sent you > the updated patches. Let me know if you did not get them. They were > against the CVS head. From npincher at yahoo.com Thu Nov 20 12:29:38 2003 From: npincher at yahoo.com (Nipple Pincher) Date: Thu, 20 Nov 2003 09:29:38 -0800 (PST) Subject: parse error on command Message-ID: <20031120172938.47761.qmail@web80707.mail.yahoo.com> I would like the user bob to run the following command as root. (/usr/bin/cd /usr/app;/usr/app/app stop) Every attemp at setting up my sudoers file for this command comes up with a parse error. Is this even possible in sudo? My sudoers line looks something like this bob bobserver = (root) (/usr/bin/cd /usr/app;/usr/app/app stop) I have tried escaping out "(", ";", and ")" to no avail. Thanks in advance NP --------------------------------- Do you Yahoo!? Free Pop-Up Blocker - Get it now From Eric.Ladner at chevrontexaco.com Thu Nov 20 13:57:36 2003 From: Eric.Ladner at chevrontexaco.com (Ladner, Eric (Eric.Ladner)) Date: Thu, 20 Nov 2003 12:57:36 -0600 Subject: parse error on command Message-ID: <53D65D67C6AA694284F7584E25ADD354D3006C@nor935nte2k1.nor935.chevrontexaco.net> Write a shell script that's executable only by root and let them execute the shell script Vi /usr/local/bin/some_script ------------- #!/bin/ksh /usr/bin/cd /usr/app /usr/app/app stop ------------- Chmod 700 /usr/local/bin/some_script Chown root:sys /usr/local/bin/some_script (ignore the pervasive outlook capatilization) Eric -----Original Message----- From: sudo-users-bounces at sudo.ws [mailto:sudo-users-bounces at sudo.ws] On Behalf Of Nipple Pincher Sent: Thursday, November 20, 2003 11:30 AM To: sudo-users at sudo.ws Subject: parse error on command I would like the user bob to run the following command as root. (/usr/bin/cd /usr/app;/usr/app/app stop) Every attemp at setting up my sudoers file for this command comes up with a parse error. Is this even possible in sudo? My sudoers line looks something like this bob bobserver = (root) (/usr/bin/cd /usr/app;/usr/app/app stop) I have tried escaping out "(", ";", and ")" to no avail. Thanks in advance NP --------------------------------- Do you Yahoo!? Free Pop-Up Blocker - Get it now ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From as at insight.rr.com Thu Nov 20 22:40:45 2003 From: as at insight.rr.com (Aaron Spangler) Date: Thu, 20 Nov 2003 21:40:45 -0600 Subject: sudo patches Message-ID: <3FBD893D.127969B@insight.rr.com> Has anyone seen or heard of Todd in a while? I'm hoping to support the LDAP storage of the /etc/sudoers file, but since I can't seem to get ahold of Todd Miller (sudo's owner), I'm worried he is not getting my patches. Does anyone have CVS access who can verify & check the code in? -Aaron From mlh at zip.com.au Fri Nov 21 21:24:52 2003 From: mlh at zip.com.au (mlh at zip.com.au) Date: Sat, 22 Nov 2003 13:24:52 +1100 Subject: parse error on command In-Reply-To: <53D65D67C6AA694284F7584E25ADD354D3006C@nor935nte2k1.nor935.chevrontexaco.net> References: <53D65D67C6AA694284F7584E25ADD354D3006C@nor935nte2k1.nor935.chevrontexaco.net> Message-ID: <20031122132452.659971df.mlh@zip.com.au> On Thu, 20 Nov 2003 12:57:36 -0600 "Ladner, Eric (Eric.Ladner)" wrote: > > Write a shell script that's executable only by root and let them execute > the shell script > > Vi /usr/local/bin/some_script > ------------- > #!/bin/ksh > > /usr/bin/cd /usr/app > /usr/app/app stop > ------------- > > Chmod 700 /usr/local/bin/some_script > Chown root:sys /usr/local/bin/some_script Good advice, Eric, but do not use /usr/bin/cd. Just do 'cd', as /usr/bin/cd doesn't work. Matt From elijah at aclue.com Tue Nov 25 14:41:52 2003 From: elijah at aclue.com (Eli Klein) Date: Tue, 25 Nov 2003 12:41:52 -0700 Subject: problems with nopasswd and a group Message-ID: <20031125194152.GE23439@spork.aclue.com> Hi, I'm trying to add entries similar to: Host_Alias LABS=192.168.51.0/24 Host_Alias ENG=misc,hosts,blah,blah,blah Cmnd_Alias MOUNT=/sbin/mount,/sbin/umount %group ENG=(ALL) ALL %group LABS=NOPASSWD: MOUNT For whatever reason, if I specify this same config for a user, it works fine. For a group, everything still requires entering a password. Has anyone seen this behavior or is this a "feature"? TIA -Eli From Todd.Miller at courtesan.com Tue Nov 25 14:47:40 2003 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 25 Nov 2003 12:47:40 -0700 Subject: problems with nopasswd and a group In-Reply-To: Your message of "Tue, 25 Nov 2003 12:41:52 MST." <20031125194152.GE23439@spork.aclue.com> References: <20031125194152.GE23439@spork.aclue.com> Message-ID: <200311251947.hAPJle8p000626@xerxes.courtesan.com> My guess is that you have a user entry that is conflicting with the group one. In sudoers, the last match takes precedence so you may simply have an ordering issue. - todd