[sudo-users] sudo remove -s and -i option
Goodman Leung
gbcbooksmj at gmail.com
Tue Aug 22 04:35:50 MDT 2017
yes , i agree with you ,
only allow explicit commands is more effective , but we it is not easy
to a running business system .
在 2017/8/22 15:28, Paul Cantle 写道:
> There are more
>
> sudo <shell>
> sudo vi (and then shell out)
> For example
>
> This is a slippery slope. Surely giving ALL and excluding commands
> with ! Is a better approach. Or if you only want certain commands to
> be allowed then don't allow ALL and only explicitly reference the
> allowed commands.
>
> I would say editing source code to block 2 flags when a few others
> allow becoming root is pointless and opens up other potential
> vulnerabilities
>
>
>
> On Tue, Aug 22, 2017 at 7:49 AM +0100, "Goodman Leung"
> <gbcbooksmj at gmail.com <mailto:gbcbooksmj at gmail.com>> wrote:
>
> now , the only unsecurity thing left is "sudo su"
>
>
>
> 在 2017/8/22 14:46, Goodman Leung 写道:
> > unalias command ? exmaple ?
> >
> > but any way , i modified the sudo source code and satisfied what i need.
> >
> > here is the solution
> >
> > vi ./src/parse_args.c
> > change
> > static const char short_opts[] =
> > "+Aa:bC:c:D:Eeg:Hh::iKklnPp:r:SsT:t:U:u:Vv";
> > to
> > static const char short_opts[] =
> > "+Aa:bC:c:D:Eeg:Hh::KklnPp:r:ST:t:U:u:Vv";
> >
> > the recompile the sudo ,
> > you will find out , options -i and -s is invalid .
> >
> > 在 2017/8/22 11:34, jbhanusri sri 写道:
> >> Hi,
> >>
> >> It would be good to hear the security reason for removing that.
> >>
> >> However if you want to remove you can use unalias command.
> >>
> >> Thanks and Regards,
> >> Bhanusri
> >>
> >> On Mon, Aug 21, 2017 at 2:52 AM, Goodman Leung > > wrote: >> >> Boxbe This message is eligible >> for Automatic
> Cleanup! (gbcbooksmj at gmail.com >> ) Add cleanup rule >> >> | More
> info >> >> >> >> hi list >> >> for security policy , i need to
> remove sudo -s or -i option , >> i thinks i need to modify sudo
> source code , but before that , >> any suggtions ? >>
> ____________________________________________________________ >>
> sudo-users mailing list > > >> For list information, options, or
> to unsubscribe, visit: >>
> https://www.sudo.ws/mailman/listinfo/sudo-users >> >> >> >
> ____________________________________________________________
> sudo-users mailing list For list information, options, or to
> unsubscribe, visit: https://www.sudo.ws/mailman/listinfo/sudo-users
>
More information about the sudo-users
mailing list