[sudo-users] sudo remove -s and -i option

Paul Cantle paul at cantle.me
Tue Aug 22 01:28:18 MDT 2017 

There are more

sudo <shell>
sudo vi (and then shell out)
For example

This is a slippery slope. Surely giving ALL and excluding commands with ! Is a better approach. Or if you only want certain commands to be allowed then don't allow ALL and only explicitly reference the allowed commands.

I would say editing source code to block 2 flags when a few others allow becoming root is pointless and opens up other potential vulnerabilities



On Tue, Aug 22, 2017 at 7:49 AM +0100, "Goodman Leung" <gbcbooksmj at gmail.com<mailto:gbcbooksmj at gmail.com>> wrote:


now , the only unsecurity thing left is "sudo su"



在 2017/8/22 14:46, Goodman Leung 写道:
> unalias command ?  exmaple ?
>
> but any way , i modified the sudo source code and satisfied what i need.
>
> here is the solution
>
> vi ./src/parse_args.c
> change
> static const char short_opts[] =
> "+Aa:bC:c:D:Eeg:Hh::iKklnPp:r:SsT:t:U:u:Vv";
> to
> static const char short_opts[] =
> "+Aa:bC:c:D:Eeg:Hh::KklnPp:r:ST:t:U:u:Vv";
>
> the recompile the sudo ,
> you will find out , options -i and -s is invalid .
>
> 在 2017/8/22 11:34, jbhanusri sri 写道:
>> Hi,
>>
>> It would be good to hear the security reason for removing that.
>>
>> However if you want to remove you can use unalias command.
>>
>> Thanks and Regards,
>> Bhanusri
>>
>> On Mon, Aug 21, 2017 at 2:52 AM, Goodman Leung > > wrote:
>>
>>     Boxbe  This message is eligible
>>     for Automatic Cleanup! (gbcbooksmj at gmail.com
>>     ) Add cleanup rule
>>
>>     | More info
>>
>>
>>
>>     hi list
>>
>>     for security policy , i need to remove sudo -s or -i option ,
>>     i thinks i need to modify sudo source code , but before that ,
>>     any suggtions ?
>>     ____________________________________________________________
>>     sudo-users mailing list >     >
>>     For list information, options, or to unsubscribe, visit:
>>     https://www.sudo.ws/mailman/listinfo/sudo-users
>>
>>
>>
>

____________________________________________________________
sudo-users mailing list
For list information, options, or to unsubscribe, visit:
https://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list