[sudo-users] sudo remove -s and -i option

Goodman Leung gbcbooksmj at gmail.com
Tue Aug 22 04:35:50 MDT 2017 

yes , i agree with you ,

only allow explicit commands is more effective , but we it is not easy 
to a running business system .

在 2017/8/22 15:28, Paul Cantle 写道:
> There are more
>
> sudo <shell>
> sudo vi (and then shell out)
> For example
>
> This is a slippery slope. Surely giving ALL and excluding commands 
> with ! Is a better approach. Or if you only want certain commands to 
> be allowed then don't allow ALL and only explicitly reference the 
> allowed commands.
>
> I would say editing source code to block 2 flags when a few others 
> allow becoming root is pointless and opens up other potential 
> vulnerabilities
>
>
>
> On Tue, Aug 22, 2017 at 7:49 AM +0100, "Goodman Leung" 
> <gbcbooksmj at gmail.com <mailto:gbcbooksmj at gmail.com>> wrote:
>
>     now , the only unsecurity thing left is "sudo su"
>
>
>
>     在 2017/8/22 14:46, Goodman Leung 写道:
>     > unalias command ?  exmaple ?
>     >
>     > but any way , i modified the sudo source code and satisfied what i need.
>     >
>     > here is the solution
>     >
>     > vi ./src/parse_args.c
>     > change
>     > static const char short_opts[] = 
>     > "+Aa:bC:c:D:Eeg:Hh::iKklnPp:r:SsT:t:U:u:Vv";
>     > to
>     > static const char short_opts[] = 
>     > "+Aa:bC:c:D:Eeg:Hh::KklnPp:r:ST:t:U:u:Vv";
>     >
>     > the recompile the sudo ,
>     > you will find out , options -i and -s is invalid .
>     >
>     > 在 2017/8/22 11:34, jbhanusri sri 写道:
>     >> Hi,
>     >>
>     >> It would be good to hear the security reason for removing that.
>     >>
>     >> However if you want to remove you can use unalias command.
>     >>
>     >> Thanks and Regards,
>     >> Bhanusri
>     >>
>     >> On Mon, Aug 21, 2017 at 2:52 AM, Goodman Leung > > wrote: >> >> Boxbe This message is eligible >> for Automatic
>     Cleanup! (gbcbooksmj at gmail.com >> ) Add cleanup rule >> >> | More
>     info >> >> >> >> hi list >> >> for security policy , i need to
>     remove sudo -s or -i option , >> i thinks i need to modify sudo
>     source code , but before that , >> any suggtions ? >>
>     ____________________________________________________________ >>
>     sudo-users mailing list > > >> For list information, options, or
>     to unsubscribe, visit: >>
>     https://www.sudo.ws/mailman/listinfo/sudo-users >> >> >> >
>     ____________________________________________________________
>     sudo-users mailing list For list information, options, or to
>     unsubscribe, visit: https://www.sudo.ws/mailman/listinfo/sudo-users
>

More information about the sudo-users mailing list