[sudo-users] Re: sudo-users Digest, Vol 23, Issue 8

Aaron Spangler aaron777 at gmail.com
Thu Nov 25 11:19:53 EST 2004


Dean,

If you could prevent someone from performing an rm against the
logfile, you still cannot prevent them from renaming the file to
something obscure and copying the logfile back to the new file
(removing any offending entries of course).  You might consider having
sudo log to a seperate server that has additional protections via
syslog.

In general it is nearly impossible to allow someone to do all things
except a certain action because there is often dozens of ways to
perform the same action.  Lets say we tell sudo to no allow
'/usr/bin/rm /var/adm/sudo.log'.  But they could then cd into the
directory and do an 'rm logfile'.  What if they were one directory
higher?  What if they were eight directories deep and did something
like 'rm ../../../../../../../../var/adm/sudo.log' ?  Okay, so lets
remove the 'rm' command altogether.  Well what if they used perl? 
'perl -e unlink "/var/adm/sudo.log"'   Okay, so get ride of perl. 
What if they decided to write some small C code to unlink the file? 
Okay, so get rid of text editors and compilers?  What if they created
a shell script that has rm in it?  (echo "rm /var/adm/sudo.log" >
/tmp/script; sudo /tmp/script).

You can see how trying to prevent a user from performing a certain
action is nearly impossible.  It is better to delegate only how much
they need, rather than try to deny a few.

I hope this helps.

 -Aaron



More information about the sudo-users mailing list