[sudo-users] sudoers question
Andrew Hall
halla3 at corp.earthlink.net
Mon Dec 13 17:08:58 EST 2004
Todd,
Thank you for your suggestions. Yes, I'm kinda in a pinch here in that
this is a development env, and users can have root under certain
circumstances, but I wanted to force users to run root cmds via sudo.
Todd C. Miller wrote:
> When you give someone sudo ALL you give them the means to get around
> sudo's logging. Trying to deny things with '!' is not very
> realistic--there is always a way around it if you have ALL. You
> are much better off just giving users a set of commands that they
> can run instead of trying to give them access to everything and
> adding restrictions.
Agreed, but w/ the above reasoning, I am limited it what I can restrict.
Am I correct in that if I deny /bin/zsh that /usr/local/bin/zsh
should also be denied? I seem to remember testing and that was the
behavior.
>
> One thing you can do is to use the "noexec" option or NOEXEC tag
> in sudo 1.6.8 to prevent users from running commands that in turn
> invoke other commands but this can be defeated by running a static
> binary.
I will investigate that.
>
> If what you are worried about is an audit trail, the current sudo
> sources in cvs support monitoring the sudo-run command an intercepting
> exec system calls for systems that support systrace (see
> www.systrace.org).
Thanks, I will check it out.
>
> Really though, this comes down to policy. If people are abusing
> your trust by running shells when they are not supposed to be you
> should consider simply revoking their sudo privileges.
>
> - todd
>
Drew
More information about the sudo-users
mailing list