[sudo-users] sudo remove -s and -i option
Todd C. Miller
Todd.Miller at courtesan.com
Tue Aug 22 08:53:07 MDT 2017
On Tue, 22 Aug 2017 09:47:30 +0800, Goodman Leung wrote:
> with this two options, normal user which has sudo permission are able to
> promte as root.
> for our security policy , it is now allow .
That is only true if the sudoers file allows it.
For "sudo -s" and "sudo -i" to work the user's sudoers entry must
be allow them to run a shell. Removing the -s or -i options is
completely ineffective since they can still "sudo sh" or "sudo
bash", etc. You need to prevent them from running those commands
in the sudoers policy, not by changing the command line options.
- todd
More information about the sudo-users
mailing list