security issue with exception lists

Ullrich Rieger ullrich.rieger at
Tue Sep 23 04:20:55 EDT 2003


I have configured sudo on a machine for development purposes. The idea was to 
give a colleague administration rights on this machine without adding him to 
the administrator group, so I basically added this lines to the sudoers file: 

# Host alias specification
Host_Alias      ACH_SERVER = methusalix
User_Alias      ADMIN = jdoe
ADMIN ACH_SERVER = NOPASSWD: ALL, !/bin/su, !/bin/su -,!/usr/local/sbin/visudo

The exception list should prevent the user to open a root shell and edit the 
sudoers file. But what happens, when jdoe does the following:

> sudo cp /usr/local/bin/visudo .
> sudo ./visudo

or even

> sudo cp /bin/su .
> sudo ./su -

This way, the user can do anything on the machine as root -- is there any 

If not, there is no way to get an exception list secure.


More information about the sudo-users mailing list