I could walk around sudo!!!

Henry Leung hleung at osft.com
Thu Feb 15 12:23:02 EST 2001

Thank you for your reply.

The case in my company is that we are doing system level software
programming. The programmer and QA need to be root to do some test, but some
programmers still like to play around on the system, and leave the garbage
into the system. I want give the root privilige, but I still want to block
some thing or keep track of the command they are using.

It's seems that I have to configure all the command or directory that allow
those programmer to do. Is that right?

Thanks goes to:
"Todd C. Miller" <Todd.Miller at courtesan.com>
Alek O. Komarnitsky (N-CSC) [mailto:alek at ast.lmco.com]
Nathan Dietsch [mailto:nathandi at access.com.au]
Saxon, Lamar [mailto:Lamar.Saxon at americredit.com]
mackay at kodak.com [mailto:mackay at kodak.com]

-----Original Message-----
From: mackay at kodak.com [mailto:mackay at kodak.com]
Sent: Thursday, February 15, 2001 9:19 AM
To: Henry Leung
Subject: Re: I could walk around sudo!!!

From: Scott D. MacKay

Wow, if this were on slashdot I am sure this would receive a troll flag....
As many people have said, you really need to read the docs more.  If you
still want to avoid that, think of the tool another way than you currently

SUDO should be treated as a 'allowance by rule definition' rather than a
'disallowance by rule definition'.  This means that you should configure
SUDO to specifically allow well defined commands rather than say "allow
everything BUT xyz'.  Really, there are not that many commands where a
person NEEDS to be root to perform system administration.  For those cases,
the definitions in the sudoers file should call out the explicit commands.
If you give a person full root access, there is nothing to keep them from
editing the password file, creating a chmod +s shell, etc etc.
When would you use the 'ALL' option?  There are good cases, but in every
one the targeted individuals are people that are completely trusted.
For me, I use the 'ALL' option for myself so I do not need to send the root
password across the wire when telneted into another machine (plus I have it
configured for SecurID authentication so my password is useless to would-be
hackers too)...

Scott MacKay

"Henry Leung" <hleung at osft.com> on 02/13/2001 05:11:27 PM

To:   sudo-users at courtesan.com
cc:    (bcc: Scott D. MacKay/943904/EKC)
Subject:  I could walk around sudo!!!

I am just installed sudo in my system. and played around with it. I just
feel that sudo can not protect anything. Here is am example:

1) no protection for Log file : I can easily delete the enties in
/var/log/sudolog by " sudo vi /var/log/sudo" or "sudo rm /var/log/sudo".

2) Can not block certain command :

even su is blocked by the sudoers:
Cmnd_Alias      TEST=/usr/bin/su

# User privilege specification
root    ALL=(ALL) ALL
%sunteam ALL=(ALL) ALL,!TEST

I still can su to others by creating a simple script. here it is:
$ more sudotest
/usr/bin/su $1

Same script can be used to do any thing!!!

How can you block this?

I looking forward to your response!

Best Regards

Henry Leung

System Administrator, Opensoft Consulting Group Inc.
Tel : (416) 260-2656 ext.255
Suite 201, 322 King Street West. Toronto,ON, Canada M5V 1J2

More information about the sudo-users mailing list