[sudo-users] sudo remove -s and -i option
gbcbooksmj at gmail.com
Tue Aug 22 20:14:03 MDT 2017
well , before i m doing this, i have another solutions , i write a
security binary to replace /usr/bin/sudo ,
you are not able to execute sudo -s , sudo -i , sudo su , and even sudo
would you guys wanna try ?
i just think it is not perfect enough.
在 2017/8/23 10:13, Goodman Leung 写道:
> well , before i m doing this, i have another solutions , i write a
> security binary to replace /usr/bin/sudo ,
> you are now able to execute sudo -s , sudo -i , sudo su , and even
> sudo /bin/bash.
> would you guys wanna try ?
> i just think it is not perfect enough.
> 在 2017/8/23 1:18, David Ledger 写道:
>> On 22 Aug 2017, at 11:35, Goodman Leung wrote:
>>> yes , i agree with you ,
>>> only allow explicit commands is more effective , but we it is not
>>> easy to a running business system .
>>> 在 2017/8/22 15:28, Paul Cantle 写道:
>> As a contact Unix SysAdmin since 1990 I’ve seen many ‘security’
>> scenarios, and the root (:-)) of your problem isn’t sudo, but most
>> likely the security policy. Usually when it’s a battle between
>> security and getting things done it means that the security policy is
>> badly thought out. What you need are people who know what they are
>> doing who are totally trustworthy and very careful how they do
>> things. Externally produced security policies are the worst. Your
>> company pays them money, they give you a policy; but it’s then not
>> their problem that things can’t get done. Where it appears to work
>> there’s usually a hidden back door somewhere.
More information about the sudo-users