security issue with exception lists
ullrich.rieger at syngenio.de
Tue Sep 23 04:20:55 EDT 2003
I have configured sudo on a machine for development purposes. The idea was to
give a colleague administration rights on this machine without adding him to
the administrator group, so I basically added this lines to the sudoers file:
# Host alias specification
Host_Alias ACH_SERVER = methusalix
User_Alias ADMIN = jdoe
ADMIN ACH_SERVER = NOPASSWD: ALL, !/bin/su, !/bin/su -,!/usr/local/sbin/visudo
The exception list should prevent the user to open a root shell and edit the
sudoers file. But what happens, when jdoe does the following:
> sudo cp /usr/local/bin/visudo .
> sudo ./visudo
> sudo cp /bin/su .
> sudo ./su -
This way, the user can do anything on the machine as root -- is there any
If not, there is no way to get an exception list secure.
More information about the sudo-users