[sudo-users] Disabling "sudo su" but allow everything else?

Paul Cantle paul at cantle.me
Mon Aug 2 16:49:44 EDT 2010

A fair point for sure. I only mentioned a singular vi on its own as "vi sudoers" was specifically disabled. I agree, I personally would deny all and allow what's required also.

-----Original Message-----
From: Patrick Spinler [mailto:spinler.patrick at mayo.edu] 
Sent: 02 August 2010 21:34
To: Paul Cantle
Cc: Jimmy Crackcorn; Rick_Steele at oxy.com; sudo-users at sudo.ws
Subject: Re: [sudo-users] Disabling "sudo su" but allow everything else?

On 08/02/2010 02:14 PM, Paul Cantle wrote:
> Hi All,
> I'd also look to disable /bin/vi (without the /etc/sudoers flag by adding it to the RESTRICTED alias) as users will be able to shell out of vi by default and get a root shell anyway (which will kind of make !SHELLS irrelevant).

Be careful, this way madness lies.

Remember there's many programs that can spawn a shell, Some pages such as less for instance.  Certain editors (vi and emacs) and mail handlers. 
  The list goes on and on.

You'll either find yourself missing stuff, or rapidly back yourself into a corner.

Worse, even if you catch all the system installed exceptions, *nothing* prevents a user from doing:

   cp /bin/sh_of_choice  /some/writeable/directory/whee_i_have_privs
   sudo /some/writeable/directory/whee_i_have_privs

A much better approach is to deny everything by default, and selectively grant the few privs the user really needs.  For instance, here's a setup I might do on redhat for an apache server:

@group_to_priv		ALL=(root)	/sbin/service httpd *
@group_to_priv		ALL=(root)	sudoedit /etc/http.d/*.conf
@group_to_priv		ALL=(root)	/sbin/su - apache

-- Pat

More information about the sudo-users mailing list