I could walk around sudo!!!

mackay at kodak.com mackay at kodak.com
Thu Feb 15 09:20:09 EST 2001

From: Scott D. MacKay

Wow, if this were on slashdot I am sure this would receive a troll flag....
As many people have said, you really need to read the docs more.  If you
still want to avoid that, think of the tool another way than you currently

SUDO should be treated as a 'allowance by rule definition' rather than a
'disallowance by rule definition'.  This means that you should configure
SUDO to specifically allow well defined commands rather than say "allow
everything BUT xyz'.  Really, there are not that many commands where a
person NEEDS to be root to perform system administration.  For those cases,
the definitions in the sudoers file should call out the explicit commands.
If you give a person full root access, there is nothing to keep them from
editing the password file, creating a chmod +s shell, etc etc.
When would you use the 'ALL' option?  There are good cases, but in every
one the targeted individuals are people that are completely trusted.
For me, I use the 'ALL' option for myself so I do not need to send the root
password across the wire when telneted into another machine (plus I have it
configured for SecurID authentication so my password is useless to would-be
hackers too)...

Scott MacKay

"Henry Leung" <hleung at osft.com> on 02/13/2001 05:11:27 PM

To:   sudo-users at courtesan.com
cc:    (bcc: Scott D. MacKay/943904/EKC)
Subject:  I could walk around sudo!!!

I am just installed sudo in my system. and played around with it. I just
feel that sudo can not protect anything. Here is am example:

1) no protection for Log file : I can easily delete the enties in
/var/log/sudolog by " sudo vi /var/log/sudo" or "sudo rm /var/log/sudo".

2) Can not block certain command :

even su is blocked by the sudoers:
Cmnd_Alias      TEST=/usr/bin/su

# User privilege specification
root    ALL=(ALL) ALL
%sunteam ALL=(ALL) ALL,!TEST

I still can su to others by creating a simple script. here it is:
$ more sudotest
/usr/bin/su $1

Same script can be used to do any thing!!!

How can you block this?

I looking forward to your response!

Best Regards

Henry Leung

System Administrator, Opensoft Consulting Group Inc.
Tel : (416) 260-2656 ext.255
Suite 201, 322 King Street West. Toronto,ON, Canada M5V 1J2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/octet-stream
Size: 2044 bytes
Desc: not available
URL: </pipermail/sudo-users/attachments/20010215/782ca8bf/attachment.obj>

More information about the sudo-users mailing list