I could walk around sudo!!!
Saxon, Lamar
Lamar.Saxon at americredit.com
Tue Feb 13 17:55:50 EST 2001
I am glad someone else was the first to answer...
I did not know where to begin on answering this one.
1. The log file is for you to protect. First by setting the permissions on
it, secondly by not having your sudoers file so open that anyone could run
the commands you list.
2. Sudo does not block files or access. It used to grant access. If you
want to block su, then chmod it so only root can execute it. THEN, give
access to it via sudo. You certainly are putting the cart before the horse
in your scenario.
I agree with Nathan, you might want to read the documentation before posting
a message like this... I am sure more people are replying or biting their
tongues as I type...
lamar
-----Original Message-----
From: Nathan Dietsch [mailto:nathandi at access.com.au]
Sent: Tuesday, February 13, 2001 4:34 PM
To: Henry Leung
Cc: sudo-users at courtesan.com
Subject: Re: I could walk around sudo!!!
Henry,
This is more to do with your configuration than anything. I think some
time with the sudoers man page might be advised.
Nathan
Nathan Dietsch
Systems Consultant
Access Gaming Systems
On Tue, 13 Feb 2001, Henry Leung wrote:
> I am just installed sudo in my system. and played around with it. I just
> feel that sudo can not protect anything. Here is am example:
>
> 1) no protection for Log file : I can easily delete the enties in
> /var/log/sudolog by " sudo vi /var/log/sudo" or "sudo rm /var/log/sudo".
>
> 2) Can not block certain command :
>
> even su is blocked by the sudoers:
> -----------------------------------------
> Cmnd_Alias TEST=/usr/bin/su
>
> # User privilege specification
> root ALL=(ALL) ALL
> %sunteam ALL=(ALL) ALL,!TEST
> ----------------------------------------
>
> I still can su to others by creating a simple script. here it is:
> -----------------------------------------------------------------------
> $ more sudotest
> #!/bin/sh
> /usr/bin/su $1
> -----------------------------------------------------------------------
>
> Same script can be used to do any thing!!!
>
> How can you block this?
>
> I looking forward to your response!
>
> Best Regards
>
> Henry Leung
>
> System Administrator, Opensoft Consulting Group Inc.
> Tel : (416) 260-2656 ext.255
> Suite 201, 322 King Street West. Toronto,ON, Canada M5V 1J2
>
>
>
____________________________________________________________
sudo-users mailing list <sudo-users at courtesan.com>
For list information, options, or to unsubscribe, visit:
http://www.courtesan.com/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list