sudo and rksh
Heikki Korpela
heko at saitti.net
Tue Apr 17 13:43:10 EDT 2001
On Tue, 17 Apr 2001 mackay at kodak.com wrote:
> It probably would do little good. You will never get every shell and even
> then all they need to do is a 'cp' of a shell to another name.
Every shell? I'm only allowing rksh here. They wouldn't be so stupid as
to do a cp, they could just visudo if that was the issue here.
> This is the
> inherent problem with 'command denial' based rules instead of 'command
> allow' based rules.
This is a command allow, for rksh, chown, chmod, cat, less, vim and grep?
> You need to either determine which commands they are allowed to use (and
> set up rules to only allow those) or have a serious talk and get them to
> always use SUDO, possibly through management coersion.
They don't use su, ever. They probably don't remember the password.
The problem is they use sudo excessively as a root shell to do things
they could do as normal users.
Management coersion is hardly needed. If they mess something up, I can
always tell them to fix it up themselves :-), but I'd prefer we achieved
a more stable system with some little work on their bad habits.
> -Scott
<!-- ---------------------- 72 characters -------------------------- -->
Heikki Korpela -- heko at saitti.net
More information about the sudo-users
mailing list