shell with sudo
mlh at zip.com.au
mlh at zip.com.au
Tue Apr 1 09:05:41 EST 2003
On Mon, 31 Mar 2003 16:31:28 -0500
amir.fadaghi at equant.com wrote:
> All,
>
> I am sort of new to sudo. I am running a bunch of development servers that
> I configure sudo on them. I found the developers can run their script and
> do some things as root by
> sudo user-script shell.
>
> My question is, how can I prevent users from getting to shell as root. Any
> help would be appreciated.
> My /etc/sudores is as follows
>
> root ALL = (ALL) ALL
> trilogy ALL = (root) /usr/netscape/server4/https-ressundevl/start,
> /usr/netscape/server4/https-ressund/stop,
You need to make sure that these scripts are owned by root,
are the original netscape scripts and that the directory
that they're in is owned by root. i.e. mere users cannot
write, remove or rename the scripts.
But they still might be able to become root, depending on
how well netscape write their scripts. I think that these
scripts were probably not written with sudo in mind.
But there is a more important issue here. If your users
are circumventing system security you have an issue to raise
with your information security officer or other senior manager.
Regards,
Matt
More information about the sudo-users
mailing list