sudo and rksh
mackay at kodak.com
mackay at kodak.com
Tue Apr 17 13:22:04 EDT 2001
From: Scott D. MacKay
It probably would do little good. You will never get every shell and even
then all they need to do is a 'cp' of a shell to another name. This is the
inherent problem with 'command denial' based rules instead of 'command
allow' based rules.
You need to either determine which commands they are allowed to use (and
set up rules to only allow those) or have a serious talk and get them to
always use SUDO, possibly through management coersion.
-Scott
Heikki Korpela <heko at saitti.net> on 04/17/2001 12:56:32 PM
Please respond to heko at saitti.net
To: sudo-users at courtesan.com
cc: (bcc: Scott D. MacKay/943904/EKC)
Subject: sudo and rksh
I'm a bit frustrated at my colleagues using sudo just to switch to
super-user mode when they login to a server and then operate as
super-users until they exit the system. I've been trying to talk
to them about this but it seems they're mainly forgetting about
my pleads out of habit.
I was thinking about restricting their rights to rksh, chown, chmod,
cat, less, vim and grep. This wouldn't of course prevent them from
using rksh to jump to another shell from a security point of view,
but it might gently force them to use alternative ways of operation
and prevent accidents that happen when over-using the root shell.
Does this sound tyrannic or entirely beyond the limits of common
sense? I will of course discuss with my colleagues first, but I
prefer to make a fool of myself in front of the world instead
of in front of my friends.
<!-- ---------------------- 72 characters -------------------------- -->
Heikki Korpela -- heko at saitti.net
____________________________________________________________
sudo-users mailing list <sudo-users at courtesan.com>
For list information, options, or to unsubscribe, visit:
http://www.courtesan.com/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list