[sudo-users] Why is root in the sudoers file?
Todd C. Miller
Todd.Miller at courtesan.com
Fri Jun 25 13:12:11 EDT 2010
In message <AANLkTilqWXHNXIn5WtodNyC_Xmm5wM2hGWCd0ei5NNPW at mail.gmail.com>
so spake Nikolas Britton (nikolas.britton):
> Why is root in the sudoers file? Root can do anything because it has a
> UID of 0. So adding "root ALL=(ALL) ALL" to the sudoers file is
> redundant because root does not need to use sudo! In my mind it just
> creates an extra security risk. for example: sudo sudo su - or sudo
> sudo bash to get around command logging.
Having root in sudoers allows users who need to do "sudo su" or
"sudo -s" for certain things to still use sudo have the commands
logged. Obviously, you cannot force people to do this but this is
where local policy about root access comes into play.
> The place I work at has a project to add the following to our sudoers files:
>
> Cmnd_Alias SUDOSUDO = /usr/local/bin/sudo, /usr/bin/sudo, /bin/sudo
> ALL ALL=!SUDOSUDO
>
> This is pointless from what I understand of sudo and unix. All that's
> needed to circumvent this is to copy the sudo binary to another
> location. for example: cp /bin/sudo /sbin/sudo; sudo /sbin/sudo su -.
Yes, there's little point in that. Giving access to ALL with certain
restrictions is just not effective. The user could just make a
copy of any command or shell, or simply write a script that does
what they want, and run that.
- todd
More information about the sudo-users
mailing list