[sudo-users] configuration question

Michael Potter pottmi at gmail.com
Mon Sep 3 20:10:46 EDT 2007 

Harm,

mount /usr/local/operators using nfs and turn off root write privilege.

You would have to mount it from a machine that operators do not have
access to and you would have to make sure that they could not unmount
and then mount their rouge directory.

If you are allowing them to run tar as root, then your
/usr/local/operators directory is not the only target for mischief.

Consider a wrapper script for tar that creates archives.
Consider a wrapper script for chmod that changes the users to root
once an an archive is unpacked (tar would run as an operator).

You probably know this, but for the benefit of anyone else reading...
Giving someone sudo access on your machine to commands that were not
very carefully screened (anything that can shell out or write files,
e.g. tar) will mean that your machine is subject to being cracked.
You have to back those decisions with a strong policy: "Use sudo to
bypass sudo and you will be fired".

-- 
Michael Potter

On 8/14/07, Meijer, Harm <Harm.Meijer at itsmaxeda.com> wrote:
> Hi All,
>
>
>
> Our configuration needs to allow a group of Operators to be able to
> execute some scripts in a certain directory, e.g. /usr/local/operators/
>
>
>
> Within sudoers this is setup using an alias as shown below:
>
> Cmnd_Alias SCRIPT = /usr/local/operators/*
>
>
>
> The group of operators also has access to some other commands among them
> is "tar".
>
>
>
> My question is how would we go about restricting the Operators from
> extracting anything from a "tar" archive into the /usr/local/operators/
> directory? As we don't want them to be able to introduce any new scripts
> in the specific directory from which they're allowed to execute anything
> in combination with "sudo".
>
>
>
> With advanced appreciation,
>
>
>
> Best regards,
>
>
>
> Harm Meijer
>
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>

More information about the sudo-users mailing list