[sudo-users] sudoers question

Andrew Hall halla3 at corp.earthlink.net
Mon Dec 13 17:08:58 EST 2004


Thank you for your suggestions.  Yes, I'm kinda in a pinch here in that 
this is a development env, and users can have root under certain 
circumstances, but I wanted to force users to run root cmds via sudo.

Todd C. Miller wrote:
> When you give someone sudo ALL you give them the means to get around
> sudo's logging.  Trying to deny things with '!' is not very
> realistic--there is always a way around it if you have ALL.  You
> are much better off just giving users a set of commands that they
> can run instead of trying to give them access to everything and
> adding restrictions.
Agreed, but w/ the above reasoning, I am limited it what I can restrict. 
   Am I correct in that if I deny /bin/zsh that /usr/local/bin/zsh 
should also be denied?  I seem to remember testing and that was the 

> One thing you can do is to use the "noexec" option or NOEXEC tag
> in sudo 1.6.8 to prevent users from running commands that in turn
> invoke other commands but this can be defeated by running a static
> binary.
I will investigate that.
> If what you are worried about is an audit trail, the current sudo
> sources in cvs support monitoring the sudo-run command an intercepting
> exec system calls for systems that support systrace (see
> www.systrace.org).
Thanks, I will check it out.

> Really though, this comes down to policy.  If people are abusing
> your trust by running shells when they are not supposed to be you
> should consider simply revoking their sudo privileges.
>  - todd


More information about the sudo-users mailing list