[sudo-users] sudo remove -s and -i option

Paul Cantle paul at cantle.me
Tue Aug 22 22:43:30 MDT 2017 

If you insist on doing it this way, you will need to exclude /bin/vi too (because you can gain a shell from it) as well as any other shells other than bash that you have installed

_____________________________
From: Goodman Leung <gbcbooksmj at gmail.com<mailto:gbcbooksmj at gmail.com>>
Sent: Wednesday, August 23, 2017 03:13
Subject: Re: [sudo-users] sudo remove -s and -i option
To: David Ledger <david.ledger at ivdcs.co.uk<mailto:david.ledger at ivdcs.co.uk>>
Cc: Paul Cantle <paul at cantle.me<mailto:paul at cantle.me>>, jbhanusri sri <jbhanusri at gmail.com<mailto:jbhanusri at gmail.com>>, <sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>>


well ,  before i m doing this, i have another solutions , i write a security binary to replace /usr/bin/sudo ,

you are not able to execute sudo -s , sudo -i , sudo su , and even sudo /bin/bash.

would you guys wanna try ?

i just think it is not perfect enough.

在 2017/8/23 10:13, Goodman Leung 写道:
well ,  before i m doing this, i have another solutions , i write a security binary to replace /usr/bin/sudo ,

you are now able to execute sudo -s , sudo -i , sudo su , and even sudo /bin/bash.

would you guys wanna try ?

i just think it is not perfect enough.

在 2017/8/23 1:18, David Ledger 写道:
On 22 Aug 2017, at 11:35, Goodman Leung wrote:

yes , i agree with you ,

only allow explicit commands is more effective , but we it is not easy to a running business system .

在 2017/8/22 15:28, Paul Cantle 写道:

As a contact Unix SysAdmin since 1990 I’ve seen many ‘security’ scenarios, and the root (:-)) of your problem isn’t sudo, but most likely the security policy. Usually when it’s a battle between security and getting things done it means that the security policy is badly thought out. What you need are people who know what they are doing who are totally trustworthy and very careful how they do things. Externally produced security policies are the worst. Your company pays them money, they give you a policy; but it’s then not their problem that things can’t get done. Where it appears to work there’s usually a hidden back door somewhere.

David

More information about the sudo-users mailing list