sudo and rksh

Heikki Korpela heko at
Tue Apr 17 13:43:10 EDT 2001

On Tue, 17 Apr 2001 mackay at wrote:

> It probably would do little good. You will never get every shell and even
> then all they need to do is a 'cp' of a shell to another name.

Every shell? I'm only allowing rksh here. They wouldn't be so stupid as
to do a cp, they could just visudo if that was the issue here.

> This is the
> inherent problem with 'command denial' based rules instead of 'command
> allow' based rules.

This is a command allow, for rksh, chown, chmod, cat, less, vim and grep?

> You need to either determine which commands they are allowed to use (and
> set up rules to only allow those) or have a serious talk and get them to
> always use SUDO, possibly through management coersion.

They don't use su, ever. They probably don't remember the password.
The problem is they use sudo excessively as a root shell to do things
they could do as normal users.

Management coersion is hardly needed. If they mess something up, I can
always tell them to fix it up themselves :-), but I'd prefer we achieved
a more stable system with some little work on their bad habits.

> -Scott

<!-- ---------------------- 72 characters -------------------------- -->
                   Heikki Korpela -- heko at

More information about the sudo-users mailing list