[sudo-users] How to prevent editing sudoers-file

Michael Potter pottmi at gmail.com
Thu Nov 30 00:08:08 EST 2006

On 11/29/06, Stephen Carville <stephen at totalflood.com> wrote:
> Matthew Hannigan wrote:
> > On Mon, Nov 27, 2006 at 10:32:33PM +0100, Claude Hohl wrote:
> >> Hash: SHA1
> >>
> >>> OK, thank you guys for the tips. I solved the problem about the
> >>> writable sudoers file this way:
> >>> Sudoers is located on a dedicated server; and it's exported via NFS
> >>> as a read-only filesystem. therefore, even as root you can not
> >>> write on it!
> >
> > But you could edit the sudo binary to use a different sudoers file.
> >
> > You've raised the bar a bit, but not much.
> True but trip wire should catch that.

And at best, you know that you had a problem, and at worst the hacker
disables tripwire and has sustained control or your system.

Trip wire would not detect a temporary copy of sudo that has been changed.

How about this:
Don't use sudo to give wide open root access.

Michael Potter

More information about the sudo-users mailing list