[sudo-users] How to disable ( deny ) user to change the password of root
Stephen Carville
scarville at landam.com
Fri Nov 21 12:50:19 EST 2008
On Tuesday 18 November 2008 18:14, Russell Van Tassell wrote:
> On Tue, Nov 18, 2008 at 05:18:10PM -0800, Stephen Carville wrote:
> > > [Preventing root passwd change using sudo]
> >
> > In truth, Gordon Messmer's suggestion is probably more secure. The only
> >
> > change I'd make would be to embed the sudo command in the script.
>
> Something
>
> > like.
> >
> > [...]
> >
> > The give sudo permissions something like:
> >
> > SYSADM MH = (ALL) /usr/bin/passwd -- [A-z0-1]*
>
> Just "devil's advocate," caveat emptor, buyer beware and all that jazz...
>
> This still doesn't prevent people from doing things such as:
>
> /usr/bin/sudo /usr/bin/sh /usr/bin/passwd
>
> ...or other similar "nasty" things (the list is quite huge). This also
> presumes, of course, that the "typical" sudoers file allows more than it
> prevents/excludes.
Absolutely and, personally, I only use sudo where the access control needed is
either ALL or nothing plus a few commands. Outside that I will use the
consolehelper program found in Redhat, CentOS and Fedora.
--
Stephen Carville <scarville at landam.com>
Systems Engineer
Land America
1.626.667.1450 X1326
============================================================
Any security software design that doesn't assume the enemy
possesses the source code is already untrustworthy.
-- Eric Raymond
More information about the sudo-users
mailing list