[sudo-users] sudo remove -s and -i option

Goodman Leung gbcbooksmj at gmail.com
Wed Aug 23 00:10:59 MDT 2017


we  have installed that system on all machine , we have to forward .

在 2017/8/23 12:43, Paul Cantle 写道:
> If you insist on doing it this way, you will need to exclude /bin/vi 
> too (because you can gain a shell from it) as well as any other shells 
> other than bash that you have installed
>
> _____________________________
> From: Goodman Leung <gbcbooksmj at gmail.com <mailto:gbcbooksmj at gmail.com>>
> Sent: Wednesday, August 23, 2017 03:13
> Subject: Re: [sudo-users] sudo remove -s and -i option
> To: David Ledger <david.ledger at ivdcs.co.uk 
> <mailto:david.ledger at ivdcs.co.uk>>
> Cc: Paul Cantle <paul at cantle.me <mailto:paul at cantle.me>>, jbhanusri 
> sri <jbhanusri at gmail.com <mailto:jbhanusri at gmail.com>>, 
> <sudo-users at sudo.ws <mailto:sudo-users at sudo.ws>>
>
>
> well ,  before i m doing this, i have another solutions , i write a 
> security binary to replace /usr/bin/sudo ,
>
> you are not able to execute sudo -s , sudo -i , sudo su , and even 
> sudo /bin/bash.
>
> would you guys wanna try ?
>
> i just think it is not perfect enough.
>
> 在 2017/8/23 10:13, Goodman Leung 写道:
>
>     well ,  before i m doing this, i have another solutions , i write
>     a security binary to replace /usr/bin/sudo ,
>
>     you are now able to execute sudo -s , sudo -i , sudo su , and even
>     sudo /bin/bash.
>
>     would you guys wanna try ?
>
>     i just think it is not perfect enough.
>
>     在 2017/8/23 1:18, David Ledger 写道:
>
>         On 22 Aug 2017, at 11:35, Goodman Leung wrote:
>
>             yes , i agree with you ,
>
>             only allow explicit commands is more effective , but we it
>             is not easy to a running business system .
>
>             在 2017/8/22 15:28, Paul Cantle 写道:
>
>
>         As a contact Unix SysAdmin since 1990 I’ve seen many
>         ‘security’ scenarios, and the root (:-)) of your problem isn’t
>         sudo, but most likely the security policy. Usually when it’s a
>         battle between security and getting things done it means that
>         the security policy is badly thought out. What you need are
>         people who know what they are doing who are totally
>         trustworthy and very careful how they do things. Externally
>         produced security policies are the worst. Your company pays
>         them money, they give you a policy; but it’s then not their
>         problem that things can’t get done. Where it appears to work
>         there’s usually a hidden back door somewhere.
>
>         David
>
>
>
>
>



More information about the sudo-users mailing list