[sudo-users] How to prevent editing sudoers-file

Stanley, Jon Jon.Stanley at savvis.net
Sun Nov 26 19:59:44 EST 2006

What if the "bad user" disables said cronjob?  IMHO, it should checkin occasionally to say it ran, and an exception should be generated if it does not run. The exact mechanism is still unclear to me - it needs to be something that involves both the server and the client, since if it's client-only, the malicious user could write a script to emulate the behavior of the real one, sans the actual checking. 

----- Original Message -----
From: sudo-users-bounces at courtesan.com <sudo-users-bounces at courtesan.com>
To: sudo-users at sudo.ws <sudo-users at sudo.ws>
Sent: Sun Nov 26 18:47:22 2006
Subject: Re: [sudo-users] How to prevent editing sudoers-file

Michael Potter wrote:
> Claude,
> This question comes up in many forms many times.
> This comes down to that you are trying to enumerate all the bad things that
> a user could do and put in a rule to avoid them.  That strategy does not
> work.  There are many other ways that your user could do malious things (and
> not be logged).

One thing I do is to edit my sudoers file on a workstations that only 
"sudo admins" have access to.  When the edits are done, a script is run 
  to push the modified sudoers file to all the machines that use it. 
This script also writes out a file with the new sudoers file md5sum in 
it.  A cron job run regularly that checks the md5sum for suders on all 
of the machine and it if there is difference, notifies the sudo admins.

Stephen Carville <stephen at totalflood.com>
Unix and Network Admin
Nationwide Totalflood
6033 W. Century Blvd
Los Angeles, CA 90045
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:

More information about the sudo-users mailing list