sudo and rksh

Heikki Korpela heko at saitti.net
Tue Apr 17 14:41:32 EDT 2001


On Tue, 17 Apr 2001, Scott MacKay wrote:

> The above allows you to run 'su' because it is not denied.  It disallows
> you to run /bin/sh because it is explicitly denied.  The problem:  What
> is to keep an admin from 'cp /bin/csh /tmp/myshell' and SUDOing
> /tmp/myshell?

The fact that he remembers he's not supposed to do it. :-)

> This is verses 'allow because it is explicitly allowed':
> # Policy: allow because it is explicitly allowed
> Cmnd_Aliase VOLMGT=/etc/init.d/volmgt start,/etc/init.d/volmgt stop
> ADMINS ALL=VOLMGT
> # End policy

Yes, this was what I was going to do.

> and maybe even activate
> the sudo banner to remind them to use SUDO properly to start.

The lecture isn't effective if you've seen it too many times. They have.
I always use it, even for my own workstation.

Can you change it?

> If they then go and instead fork out of apps
> to get a root command line (you could probably write a cron to 'ps' and
> grep on root using a shell),

I use syslog for this. :-)

> well then maybe you need to restrict more
> as that is a bit more 'covering what I do' vs 'not wanting the hassle of
> 3 "sudo" commands vs 1 nice "sudo /bin/csh"'

Luckily, this is not a "me vs. them" but an "all of us vs. problems
and wasting resources" issue.

<!-- ---------------------- 72 characters -------------------------- -->
                   Heikki Korpela -- heko at saitti.net




More information about the sudo-users mailing list