I could walk around sudo!!!
Nathan Dietsch
nathandi at access.com.au
Tue Feb 13 18:12:43 EST 2001
Henry,
Sudo can be configured to be incredibly tight or as you say you can walk
through. A few things to remember.
* Make sure you use the full Path Names to commands which sudo will
execute.
* Make sure the said commands are in directories writeable only by root
and the file can not be modified except by root.
* Do not use vi, or other commands which allow you to escape to a shell.
Nathan
Nathan Dietsch
Systems Consultant
Access Gaming Systems
On Tue, 13 Feb 2001, Saxon, Lamar wrote:
> I am glad someone else was the first to answer...
>
> I did not know where to begin on answering this one.
>
> 1. The log file is for you to protect. First by setting the permissions on
> it, secondly by not having your sudoers file so open that anyone could run
> the commands you list.
>
> 2. Sudo does not block files or access. It used to grant access. If you
> want to block su, then chmod it so only root can execute it. THEN, give
> access to it via sudo. You certainly are putting the cart before the horse
> in your scenario.
>
> I agree with Nathan, you might want to read the documentation before posting
> a message like this... I am sure more people are replying or biting their
> tongues as I type...
>
> lamar
>
> -----Original Message-----
> From: Nathan Dietsch [mailto:nathandi at access.com.au]
> Sent: Tuesday, February 13, 2001 4:34 PM
> To: Henry Leung
> Cc: sudo-users at courtesan.com
> Subject: Re: I could walk around sudo!!!
>
>
> Henry,
>
> This is more to do with your configuration than anything. I think some
> time with the sudoers man page might be advised.
>
> Nathan
>
> Nathan Dietsch
> Systems Consultant
> Access Gaming Systems
>
> On Tue, 13 Feb 2001, Henry Leung wrote:
>
> > I am just installed sudo in my system. and played around with it. I just
> > feel that sudo can not protect anything. Here is am example:
> >
> > 1) no protection for Log file : I can easily delete the enties in
> > /var/log/sudolog by " sudo vi /var/log/sudo" or "sudo rm /var/log/sudo".
> >
> > 2) Can not block certain command :
> >
> > even su is blocked by the sudoers:
> > -----------------------------------------
> > Cmnd_Alias TEST=/usr/bin/su
> >
> > # User privilege specification
> > root ALL=(ALL) ALL
> > %sunteam ALL=(ALL) ALL,!TEST
> > ----------------------------------------
> >
> > I still can su to others by creating a simple script. here it is:
> > -----------------------------------------------------------------------
> > $ more sudotest
> > #!/bin/sh
> > /usr/bin/su $1
> > -----------------------------------------------------------------------
> >
> > Same script can be used to do any thing!!!
> >
> > How can you block this?
> >
> > I looking forward to your response!
> >
> > Best Regards
> >
> > Henry Leung
> >
> > System Administrator, Opensoft Consulting Group Inc.
> > Tel : (416) 260-2656 ext.255
> > Suite 201, 322 King Street West. Toronto,ON, Canada M5V 1J2
> >
> >
> >
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at courtesan.com>
> For list information, options, or to unsubscribe, visit:
> http://www.courtesan.com/mailman/listinfo/sudo-users
> ____________________________________________________________
> sudo-users mailing list <sudo-users at courtesan.com>
> For list information, options, or to unsubscribe, visit:
> http://www.courtesan.com/mailman/listinfo/sudo-users
>
More information about the sudo-users
mailing list