[sudo-users] issues with sudo -i or sudo -s

Mark Janssen maniac.nl at gmail.com
Thu Jun 10 08:25:25 EDT 2010


On Thu, Jun 10, 2010 at 12:23 PM, Sudhakar PS <Sudhakar.PS at tatatel.co.in> wrote:
> Sudoers File:
> oracle10 ALL=(ALL) ALL
> %dbaadmin       ALL=(DB) ALL
> %dbaadmin       ALL=(oracle10) ALL

This gives everyone in group dbaadmin full root access... they sudo to
oracle10, start a shell, and sudo to root ;P
Only the ALL=(oracle10) line should be enough...
dbaadmin$ sudo -u oracle10 <some_command>
is the command your users should use to run something as oracle10

> Cmnd_Alias
> SHELLS=/usr/bin/sh,/usr/bin/csh,/usr/bin/tcsh,/usr/bin/ksh,/bin/rsh,/bin
> /jsh,/bin/pfcsh,/bin/pfksh,/bin/pfsh,/bin/rksh,/bin/tcsh,/bin/zsh,/bin/b
> ash,/usr/bin/jsh,/usr/bin/pfcsh,/usr/bin/pfksh,/usr/bin/pfsh,/usr/bin/rk
> sh,/usr/bin/tcsh,/usr/bin/zsh,/usr/bin/bash,/bin/su -,/bin/su -
> root,/usr/bin/su -, /usr/bin/su - root,/bin/su ""
> %sysadmin       ALL=!SHELLS

Negations don't work as you would expect... people can make a symlink
to a shell and start that, or they can start vi, and use a
shell-escape.
They can write their own script, which runs a shell, and start that.

> %sysadmin       ALL=NOEXEC: /usr/bin/vi,/usr/bin/more

You should make NOEXEC a default, and !NOEXEC the specific commands
that NEED it.

> %sysadmin       ALL= /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
Second bit doesn't work as expected either...

> %dbaadmin       ALL=!SHELLS
Same...

> %dbaadmin       ALL=NOEXEC: /usr/bin/vi,/usr/bin/more
Same...

-- 
Mark Janssen  --  maniac(at)maniac.nl  --  pgp: 0x357D2178 |   ,''`.  |
Unix / Linux Open-Source and Internet Consultant @ Snow.nl |  : :' :  |
Maniac.nl      MarkJanssen.nl      NerdNet.nl      Unix.nl |  `. `'   |
Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet |    `-    |



More information about the sudo-users mailing list