[sudo-users] sudo remove -s and -i option
gbcbooksmj at gmail.com
Tue Aug 22 20:13:23 MDT 2017
well , before i m doing this, i have another solutions , i write a
security binary to replace /usr/bin/sudo ,
you are now able to execute sudo -s , sudo -i , sudo su , and even sudo
would you guys wanna try ?
i just think it is not perfect enough.
在 2017/8/23 1:18, David Ledger 写道:
> On 22 Aug 2017, at 11:35, Goodman Leung wrote:
>> yes , i agree with you ,
>> only allow explicit commands is more effective , but we it is not
>> easy to a running business system .
>> 在 2017/8/22 15:28, Paul Cantle 写道:
> As a contact Unix SysAdmin since 1990 I’ve seen many ‘security’
> scenarios, and the root (:-)) of your problem isn’t sudo, but most
> likely the security policy. Usually when it’s a battle between
> security and getting things done it means that the security policy is
> badly thought out. What you need are people who know what they are
> doing who are totally trustworthy and very careful how they do things.
> Externally produced security policies are the worst. Your company pays
> them money, they give you a policy; but it’s then not their problem
> that things can’t get done. Where it appears to work there’s usually a
> hidden back door somewhere.
More information about the sudo-users