sudoers file config help
Julian.Tan at allianz.com.sg
Julian.Tan at allianz.com.sg
Wed Sep 19 06:54:08 EDT 2001
I would like to warn all users that it is always VERY DANGEROUS to allow
access to all commands and then finding ways to block certain commands ....
I would always suggest to enable commands as and when they are needed even
if this takes more time to administer and configure. Never ever compromise
security with workload because once someone hacked in the system, the
workload might be even more heavy ....
Best Regards,
Julian Tan
----- Forwarded by Julian Tan/AZAP/Allianz-SG on 19/09/2001 18:44 -----
Barnaby Brown
<barnaby_brown at pacif To: sudo-users at courtesan.com
ic.net.au> cc:
Sent by: Subject: Re: sudoers file config help
sudo-users-admin at cou
rtesan.com
19/09/2001 15:54
On Tue, Sep 18, 2001 at 05:11:59PM -0700, Parson, David wrote:
> I need assistance in setting up the sudoers file in such a way that the
user
> can run any commands on the
> local machine except su to root {any shell of course}. I see a way to do
> this, but the syntax that I use if not correct.
>
> Any recommendations ?
Yes: It can't be done using sudo, don't even try.
> This must be secure - in other words no way can this person or persons
get
> to any root shell.
>
> I am sure that I can use the same syntax to restrict activities such as
"su
> - something" in the case where I need to do this as well.
Yes, you can block "su - something", and you can block "su <shell>", but
you can't stop somebody creating a new shell under a new name and
sudoing that, and you can't stop them writing an arbitrary shell script
and sudoing that. There are far too many ways around it for anyone to
list... and even when they run out, the person next to them has half a
dozen more.
This should really be added to the FAQ:
Q) Can I use sudo to grant permission to all commands except a
certain few? (eg shells)
A) No, there are too many ways to get around it. sudo is designed
as a tool for granting privileged permissions to certain selected
actions, and you should be very careful what you allow.
Regards,
Barnaby
--
Barnaby Brown - Systems Engineer
Pacific Internet (Australia) Pty Ltd - http://www.pacific.net.au
____________________________________________________________
sudo-users mailing list <sudo-users at courtesan.com>
For list information, options, or to unsubscribe, visit:
http://www.courtesan.com/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list