sudo problem...

mackay at kodak.com mackay at kodak.com
Tue Sep 11 09:24:21 EDT 2001


From: Scott D. MacKay

First off, to make sure everything is on the right page...
1) By 'users' do you mean regular non-priveleged people?
2) By 'not to use the kill command' do you mean you do not want users, as
themselves, to not use the kill command or do you mean users, as root via
sudo, not to use the kill command?

A couple of answers, depending on the above
"I do not want users, as themselves, to be able to use the kill command"
Tough :)  It would be hard.  Yes, you can chmod the kill command so only
restrictive groups can use it, but if you have a compiler you can always
easily remake the command.

"I want people who use SUDO to not be able to use the kill command"
This depends on your rules.  I take it, by how it was written, you have an
ALL=ALL rule.  You are out of luck I am afraid.  Take advice from the
standard thinking around firewall rulesets: "That which is not explicitly
allowed is denied".  Do not work from the direction of "I will allow
everything except XYZ", instead approach your rules from "I will explicitly
indicate what is allowed".  It is trivial to get around any "!kill" type of
directive, from copying the executable to compiling something new, to using
escapes from stuff like ftp, vi. If you need to put restrictions on
someone, always explicitly indicate what is allowed.
Hope it helps!

-Scott





Ravindra Pai <rgpai at yahoo.com>@courtesan.com on 09/10/2001 03:43:52 PM

Sent by:  sudo-users-admin at courtesan.com


To:   sudo-users at courtesan.com
cc:
Subject:  sudo problem...


Hi

I am using sudo V1.5.9 on AIX 4.3.3.. I want the users
not to use the kill command ..Is it posible to
restrict the user using some commands..

Thanks & Regards
Ravi

=====
Web Site : http://rgpai72.tripod.com/rgpai72   Fax No : 1-646-304-7658

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com
____________________________________________________________
sudo-users mailing list <sudo-users at courtesan.com>
For list information, options, or to unsubscribe, visit:
http://www.courtesan.com/mailman/listinfo/sudo-users







More information about the sudo-users mailing list