[sudo-users] How to prevent editing sudoers-file

Claude Hohl longneck at bluewin.ch
Mon Nov 27 16:32:33 EST 2006

Hash: SHA1

> OK, thank you guys for the tips. I solved the problem about the  
> writable sudoers file this way:
> Sudoers is located on a dedicated server; and it's exported via NFS  
> as a read-only filesystem. therefore, even as root you can not  
> write on it!
> it's a pity that the developers don't implement the tracing of  
> softlinks. not everybody wants to setup a dedicated server just for  
> sudo...
> Am 27.11.2006 um 4:01 schrieb Stephen Carville:
>> Stanley, Jon wrote:
>>> What if the "bad user" disables said cronjob?  IMHO, it should  
>>> checkin occasionally to say it ran, and an exception should be  
>>> generated if it does not run. The exact mechanism is still  
>>> unclear to me - it needs to be something that involves both the  
>>> server and the client, since if it's client-only, the malicious  
>>> user could write a script to emulate the behavior of the real  
>>> one, sans the actual checking.
>> The cron job runs on the secured station not the target box and there
>> are some other safeguards on that box since it also a central  
>> password
>> repository.
>> The script also sends status to Big Brother and Big Brother look for
>> visudo in bb-proctab but that's really trivial to spoof.  Sure this
>> could be bypassed.  Any! security can be bypassed.  I'm just  
>> suggesting
>> an additional and relatively easy to implement layer.
>>> ----- Original Message -----
>>> From: sudo-users-bounces at courtesan.com <sudo-users- 
>>> bounces at courtesan.com>
>>> To: sudo-users at sudo.ws <sudo-users at sudo.ws>
>>> Sent: Sun Nov 26 18:47:22 2006
>>> Subject: Re: [sudo-users] How to prevent editing sudoers-file
>>> Michael Potter wrote:
>>>> Claude,
>>>> This question comes up in many forms many times.
>>>> This comes down to that you are trying to enumerate all the bad  
>>>> things that
>>>> a user could do and put in a rule to avoid them.  That strategy  
>>>> does not
>>>> work.  There are many other ways that your user could do malious  
>>>> things (and
>>>> not be logged).
>>> One thing I do is to edit my sudoers file on a workstations that  
>>> only
>>> "sudo admins" have access to.  When the edits are done, a script  
>>> is run
>>>   to push the modified sudoers file to all the machines that use it.
>>> This script also writes out a file with the new sudoers file  
>>> md5sum in
>>> it.  A cron job run regularly that checks the md5sum for suders  
>>> on all
>>> of the machine and it if there is difference, notifies the sudo  
>>> admins.
>> -- 
>> Stephen Carville <stephen at totalflood.com>
>> Unix and Network Admin
>> Nationwide Totalflood
>> 6033 W. Century Blvd
>> Los Angeles, CA 90045
>> 310-342-3602
>> ____________________________________________________________
>> sudo-users mailing list <sudo-users at sudo.ws>
>> For list information, options, or to unsubscribe, visit:
>> http://www.sudo.ws/mailman/listinfo/sudo-users
> Version: GnuPG v1.4.3 (Darwin)
> iD8DBQFFa1jukPADilYGTHwRAs06AJwMsn+/kdfhgUcq54p0qfn0c1Q4qACfeyCM
> Yx2AeNLDqUnl/JzHFqJ3cKQ=
> =epwd

Version: GnuPG v1.4.3 (Darwin)


More information about the sudo-users mailing list