[sudo-users] Why is root in the sudoers file?
highc at stny.rr.com
highc at stny.rr.com
Fri Jun 25 14:57:12 EDT 2010
Todd C. Miller wrote:
>>
>>Cmnd_Alias SUDOSUDO = /usr/local/bin/sudo, /usr/bin/sudo, /bin/sudo
>>ALL ALL=!SUDOSUDO
>>
>>This is pointless from what I understand of sudo and unix. All that's
>>needed to circumvent this is to copy the sudo binary to another
>>location. for example: cp /bin/sudo /sbin/sudo; sudo /sbin/sudo su -.
>
>
> Yes, there's little point in that. Giving access to ALL with certain
> restrictions is just not effective. The user could just make a
> copy of any command or shell, or simply write a script that does
> what they want, and run that.
>
> - todd
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
>
Let's assume that 99.9% of the work a system SA does is via sudo;
clearly, they need to be granted a -very- broad range of activites.
While you cannot -stop- system admins from taking overt harmful actions,
you can make it so that they must take an 'overt' action to defeat some
of the restrictions. By having this be done as an 'overt' action,
rather than an 'incidental' action, does this not show some level of
control. For instance, doesn't someone taking an action of copying
/usr/local/bin/sudo /home/myid/bin/sudo show support some form of 'mal
intent'. I appreciate this is a matter of providing only an
'opportunity to demonstrate' malfeasance rather than a rock solid cage;
but isn't that better than nothing?
Interesting discussion!
-Chris.
More information about the sudo-users
mailing list