Galen.Johnson at sas.com
Sun May 23 20:41:29 EDT 2004
Believe me, I am under no illusions as to the security of excluding shells and know of several ways around them. As you say, this is more for the ability to slap hands when they are caught and it does stop neophytes from getting a shell. Many of my users are from a Windows world and have trouble moving around without a gui (go figure).
From: sudo-users-bounces at sudo.ws on behalf of Howard Owen
Sent: Sun 5/23/2004 2:26 AM
To: Aaron Spangler
Cc: sudo-users at sudo.ws; Galen Johnson
Subject: Re: Ldif format
On Sat, 2004-05-22 at 21:06, Aaron Spangler wrote:
> Essentially there is an infinite amount of commands and permutations that
> essentially give you some sort of shell. Because of this, it does not make
> sense to allow a feature that gives the admin a false sense of security.
> As a result, the !command feature was dropped before it became generally
I'm always amazed at organizations that persist in using the '!SHELLS'
syntax. Knowing that many people who do this are not stupid makes it
even harder to credit. I've finally come to the conclusion that many
groups do this as an expression, rather than an enforcement of policy.
If someone is caught doing something stupid or malicious in a root
shell, management can say "you evaded our clear policy against root
You may or may not consider this alternate interpretation of excluding
shells from 'ALL' as legitimate, or worth the confusion of people who
believe such an exclusion actually works, but I thought I'd mention it.
Howard Owen "Even if you are on the right
EGBOK Consultants track, you'll get run over if you
hbo at egbok.com +1-650-218-2216 just sit there." - Will Rogers
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
More information about the sudo-users