[sudo-users] sudoers question
Todd C. Miller
Todd.Miller at courtesan.com
Mon Dec 13 17:04:12 EST 2004
When you give someone sudo ALL you give them the means to get around
sudo's logging. Trying to deny things with '!' is not very
realistic--there is always a way around it if you have ALL. You
are much better off just giving users a set of commands that they
can run instead of trying to give them access to everything and
adding restrictions.
One thing you can do is to use the "noexec" option or NOEXEC tag
in sudo 1.6.8 to prevent users from running commands that in turn
invoke other commands but this can be defeated by running a static
binary.
If what you are worried about is an audit trail, the current sudo
sources in cvs support monitoring the sudo-run command an intercepting
exec system calls for systems that support systrace (see
www.systrace.org).
Really though, this comes down to policy. If people are abusing
your trust by running shells when they are not supposed to be you
should consider simply revoking their sudo privileges.
- todd
More information about the sudo-users
mailing list