[sudo-users] sudo remove -s and -i option

[Goodman Leung]

well ,  before i m doing this, i have another solutions , i write a 
security binary to replace /usr/bin/sudo ,

you are not able to execute sudo -s , sudo -i , sudo su , and even sudo 
/bin/bash.

would you guys wanna try ?

i just think it is not perfect enough.

在 2017/8/23 10:13, Goodman Leung 写道:
> well ,  before i m doing this, i have another solutions , i write a 
> security binary to replace /usr/bin/sudo ,
>
> you are now able to execute sudo -s , sudo -i , sudo su , and even 
> sudo /bin/bash.
>
> would you guys wanna try ?
>
> i just think it is not perfect enough.
>
> 在 2017/8/23 1:18, David Ledger 写道:
>> On 22 Aug 2017, at 11:35, Goodman Leung wrote:
>>
>>> yes , i agree with you ,
>>>
>>> only allow explicit commands is more effective , but we it is not 
>>> easy to a running business system .
>>>
>>> 在 2017/8/22 15:28, Paul Cantle 写道:
>>
>> As a contact Unix SysAdmin since 1990 I’ve seen many ‘security’ 
>> scenarios, and the root (:-)) of your problem isn’t sudo, but most 
>> likely the security policy. Usually when it’s a battle between 
>> security and getting things done it means that the security policy is 
>> badly thought out. What you need are people who know what they are 
>> doing who are totally trustworthy and very careful how they do 
>> things. Externally produced security policies are the worst. Your 
>> company pays them money, they give you a policy; but it’s then not 
>> their problem that things can’t get done. Where it appears to work 
>> there’s usually a hidden back door somewhere.
>>
>> David
>>
>