Sudo conundrum
Monappallil, George
George.Monappallil at dialog.com
Tue Mar 11 10:59:07 EST 2003
Guys I must be missing something here? I installed Sudo 1.6.6 on my Solaris
7 box. My sudoers file looks like this
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~
# Host alias specification
Host_Alias SPARC = haley
# User alias specification
User_Alias SYSADMIN = sshd
User_Alias OPS = cmurray
User_Alias DEV = robs, weitzman, dhohney, gmonappa
# Cmnd alias specification
Cmnd_Alias TS = /usr/bin/ls, /usr/bin/grep, /usr/bin/egrep,
/usr/bin/cd, \
/usr/bin/cp, /usr/bin/find, /usr/bin/head,
/usr/bin/tail, /usr/bin/man, \
/usr/bin/tar, /usr/bin/more, /usr/bin/df, /usr/bin/ps
Cmnd_Alias NOTS = /usr/bin/su, /usr/bin/rm, /usr/bin/rmdir, /sbin/init,
/sbin/mount, \
/sbin/umount, /sbin/umountall, /sbin/init, /usr/sbin/
# User privilege specification
root ALL = (ALL) ALL
SYSADMIN ALL = (ALL) ALL
OPS ALL = (ALL) ALL
DEV ALL = TS, !NOTS
# Set sudo log options
Defaults syslog=auth
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~
As you can see I have tried to restrict the users under DEV to use commands
listed under command alias TS and not use commands listed under NOTS.
However, the interesting part is that, when I log in as a user that is
listed under DEV (for example "robs") I can run any command, even those that
are not listed under TS if I don't precede the command with "sudo". Example:
User robs# mount /u01
As you can see, I haven't used "sudo" to precede the command above. Is this
a loophole ?
-George
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/sudo-users/attachments/20030311/fbc10903/attachment.html>
More information about the sudo-users
mailing list