[sudo-users] Why is root in the sudoers file?
Nikolas Britton
nikolas.britton at gmail.com
Fri Jun 25 12:09:57 EDT 2010
Hi,
Why is root in the sudoers file? Root can do anything because it has a
UID of 0. So adding "root ALL=(ALL) ALL" to the sudoers file is
redundant because root does not need to use sudo! In my mind it just
creates an extra security risk. for example: sudo sudo su - or sudo
sudo bash to get around command logging.
The place I work at has a project to add the following to our sudoers files:
Cmnd_Alias SUDOSUDO = /usr/local/bin/sudo, /usr/bin/sudo, /bin/sudo
ALL ALL=!SUDOSUDO
This is pointless from what I understand of sudo and unix. All that's
needed to circumvent this is to copy the sudo binary to another
location. for example: cp /bin/sudo /sbin/sudo; sudo /sbin/sudo su -.
All that is needed to prevent this is the removal of "root ALL=(ALL)
ALL" or the addition of "Defaults !root_sudo" to the sudoers file. I
can't think of any reason why root is in the sudoers file.
-Nikolas
More information about the sudo-users
mailing list