[sudo-users] How to prevent editing sudoers-file
Claude Hohl
longneck at bluewin.ch
Mon Nov 27 16:32:33 EST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> OK, thank you guys for the tips. I solved the problem about the
> writable sudoers file this way:
> Sudoers is located on a dedicated server; and it's exported via NFS
> as a read-only filesystem. therefore, even as root you can not
> write on it!
>
> it's a pity that the developers don't implement the tracing of
> softlinks. not everybody wants to setup a dedicated server just for
> sudo...
>
>
> Am 27.11.2006 um 4:01 schrieb Stephen Carville:
>
>> Stanley, Jon wrote:
>>> What if the "bad user" disables said cronjob? IMHO, it should
>>> checkin occasionally to say it ran, and an exception should be
>>> generated if it does not run. The exact mechanism is still
>>> unclear to me - it needs to be something that involves both the
>>> server and the client, since if it's client-only, the malicious
>>> user could write a script to emulate the behavior of the real
>>> one, sans the actual checking.
>>
>> The cron job runs on the secured station not the target box and there
>> are some other safeguards on that box since it also a central
>> password
>> repository.
>>
>> The script also sends status to Big Brother and Big Brother look for
>> visudo in bb-proctab but that's really trivial to spoof. Sure this
>> could be bypassed. Any! security can be bypassed. I'm just
>> suggesting
>> an additional and relatively easy to implement layer.
>>
>>>
>>> ----- Original Message -----
>>> From: sudo-users-bounces at courtesan.com <sudo-users-
>>> bounces at courtesan.com>
>>> To: sudo-users at sudo.ws <sudo-users at sudo.ws>
>>> Sent: Sun Nov 26 18:47:22 2006
>>> Subject: Re: [sudo-users] How to prevent editing sudoers-file
>>>
>>> Michael Potter wrote:
>>>> Claude,
>>>>
>>>> This question comes up in many forms many times.
>>>>
>>>> This comes down to that you are trying to enumerate all the bad
>>>> things that
>>>> a user could do and put in a rule to avoid them. That strategy
>>>> does not
>>>> work. There are many other ways that your user could do malious
>>>> things (and
>>>> not be logged).
>>>
>>> One thing I do is to edit my sudoers file on a workstations that
>>> only
>>> "sudo admins" have access to. When the edits are done, a script
>>> is run
>>> to push the modified sudoers file to all the machines that use it.
>>> This script also writes out a file with the new sudoers file
>>> md5sum in
>>> it. A cron job run regularly that checks the md5sum for suders
>>> on all
>>> of the machine and it if there is difference, notifies the sudo
>>> admins.
>>>
>>
>>
>> --
>> Stephen Carville <stephen at totalflood.com>
>> Unix and Network Admin
>> Nationwide Totalflood
>> 6033 W. Century Blvd
>> Los Angeles, CA 90045
>> 310-342-3602
>> ____________________________________________________________
>> sudo-users mailing list <sudo-users at sudo.ws>
>> For list information, options, or to unsubscribe, visit:
>> http://www.sudo.ws/mailman/listinfo/sudo-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (Darwin)
>
> iD8DBQFFa1jukPADilYGTHwRAs06AJwMsn+/kdfhgUcq54p0qfn0c1Q4qACfeyCM
> Yx2AeNLDqUnl/JzHFqJ3cKQ=
> =epwd
> -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iD8DBQFFa1lxkPADilYGTHwRArruAJ4wx2WuMSit5RuMJtusNJdsEhM55QCeNWcQ
XOAJoEyLdavUHK4mYrogzkw=
=3S+0
-----END PGP SIGNATURE-----
More information about the sudo-users
mailing list