I could walk around sudo!!!
Alek O. Komarnitsky (N-CSC)
alek at ast.lmco.com
Tue Feb 13 19:40:51 EST 2001
> From: "Todd C. Miller" <Todd.Miller at courtesan.com>
> Subject: Re: I could walk around sudo!!!
> To: Henry Leung <hleung at osft.com>
> Cc: sudo-users at courtesan.com
>
> Of course you can. If you give someone "ALL" then they can do
> *anything*. It is useless to try subtract things from ALL since
> there will always be a way to get around the restrictions.
>
> If you don't trust the people you give "ALL" to you have more
> problems than sudo can solve for you...
>
> - todd
Just to add to Todd's "duhhhh" response (which is right on IMHO),
you can configure syslog to send sudo events to a remote server
which you have secured. Of course the admin on the original
machine could tweek syslogd ... but anyone who think sudo itself
is insecure because of how it properly works probably doesn't
know enough about syslog to realize what to do there! ;-)
alek
More information about the sudo-users
mailing list