Sudo conundrum

Monappallil, George George.Monappallil at
Tue Mar 11 10:59:07 EST 2003

Guys I must be missing something here? I installed Sudo 1.6.6 on my Solaris
7 box. My sudoers file looks like this

# Host alias specification
Host_Alias     SPARC = haley

# User alias specification
User_Alias      SYSADMIN = sshd
User_Alias      OPS = cmurray
User_Alias      DEV = robs, weitzman, dhohney, gmonappa

# Cmnd alias specification
Cmnd_Alias      TS = /usr/bin/ls, /usr/bin/grep, /usr/bin/egrep,
/usr/bin/cd, \
                     /usr/bin/cp, /usr/bin/find, /usr/bin/head,
/usr/bin/tail, /usr/bin/man, \
                     /usr/bin/tar, /usr/bin/more, /usr/bin/df, /usr/bin/ps
Cmnd_Alias      NOTS = /usr/bin/su, /usr/bin/rm, /usr/bin/rmdir, /sbin/init,
/sbin/mount, \
                       /sbin/umount, /sbin/umountall, /sbin/init, /usr/sbin/
# User privilege specification
root     ALL = (ALL) ALL
OPS      ALL = (ALL) ALL

# Set sudo log options
Defaults               syslog=auth


As you can see I have tried to restrict the users under DEV to use commands
listed under command alias TS and not use commands listed under NOTS.
However, the interesting part is that, when I log in as a user that is
listed under DEV (for example "robs") I can run any command, even those that
are not listed under TS if I don't precede the command with "sudo". Example:
User robs# mount /u01

As you can see, I haven't used "sudo" to precede the command above. Is this
a loophole ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/sudo-users/attachments/20030311/fbc10903/attachment.html>

More information about the sudo-users mailing list