sudo and rksh

mackay at mackay at
Tue Apr 17 13:22:04 EDT 2001

From: Scott D. MacKay

It probably would do little good. You will never get every shell and even
then all they need to do is a 'cp' of a shell to another name.  This is the
inherent problem with 'command denial' based rules instead of 'command
allow' based rules.
You need to either determine which commands they are allowed to use (and
set up rules to only allow those) or have a serious talk and get them to
always use SUDO, possibly through management coersion.


Heikki Korpela <heko at> on 04/17/2001 12:56:32 PM

Please respond to heko at

To:   sudo-users at
cc:    (bcc: Scott D. MacKay/943904/EKC)
Subject:  sudo and rksh

I'm a bit frustrated at my colleagues using sudo just to switch to
super-user mode when they login to a server and then operate as
super-users until they exit the system. I've been trying to talk
to them about this but it seems they're mainly forgetting about
my pleads out of habit.

I was thinking about restricting their rights to rksh, chown, chmod,
cat, less, vim and grep. This wouldn't of course prevent them from
using rksh to jump to another shell from a security point of view,
but it might gently force them to use alternative ways of operation
and prevent accidents that happen when over-using the root shell.

Does this sound tyrannic or entirely beyond the limits of common
sense? I will of course discuss with my colleagues first, but I
prefer to make a fool of myself in front of the world instead
of in front of my friends.

<!-- ---------------------- 72 characters -------------------------- -->
                   Heikki Korpela -- heko at

sudo-users mailing list <sudo-users at>
For list information, options, or to unsubscribe, visit:

More information about the sudo-users mailing list