[sudo-users] Danger Commands for sudo ?
Russell Van Tassell
russell+sudo-users at loosenut.com
Wed Apr 9 19:14:05 EDT 2008
On Wed, Apr 09, 2008 at 07:41:58AM +0200, Jan Koprowski wrote:
> Hi Everybody !
> In book "System Administration" [
> http://www.oreilly.com/catalog/esa3/ ] I red that there are danger
> commands. When we use commands with shell escape, like less, more,
> with sudo we can escape from then, in sudo enviroment, and get the
> root shell... Is there any list of commands which shouldn't use with
> sudo ?
> Thank you for any respond...
I don't know of any "list" anywhere (since the list of commands is so
huge and varies so much from system-to-system and implementation to
implementation). But, the general ROT (Rule of Thumb) is to know the
command before you grant sudo privs to it... and then, "least privilege"
practices from there... and don't forget to turn logging on and actually
pay attention to what your users are doing.
Editors tend to be the "big" no-no... though replacements such as "vim"
have means to invoke them so that they won't allow a shell. So, as they
say, caveat emptor, buyer beware, and YMMV (Your Mileage May Vary).
You might provide more insight in to the application for which you are
using sudo, including platforms, and some folks might be able to give
you a better list... just remember that even seemingly "innocent" things
like the "cat" utility can be used in evil manners.
Hope that somehow helps...
Russell M. Van Tassell
russell at loosenut.com
"When I die, I would like to go peacefully, in my sleep, like my
Grandfather. Not screaming in terror like his passengers." - Jack Handy
More information about the sudo-users