[sudo-users] sudo remove -s and -i option
Goodman Leung
gbcbooksmj at gmail.com
Wed Aug 23 00:10:59 MDT 2017
we have installed that system on all machine , we have to forward .
在 2017/8/23 12:43, Paul Cantle 写道:
> If you insist on doing it this way, you will need to exclude /bin/vi
> too (because you can gain a shell from it) as well as any other shells
> other than bash that you have installed
>
> _____________________________
> From: Goodman Leung <gbcbooksmj at gmail.com <mailto:gbcbooksmj at gmail.com>>
> Sent: Wednesday, August 23, 2017 03:13
> Subject: Re: [sudo-users] sudo remove -s and -i option
> To: David Ledger <david.ledger at ivdcs.co.uk
> <mailto:david.ledger at ivdcs.co.uk>>
> Cc: Paul Cantle <paul at cantle.me <mailto:paul at cantle.me>>, jbhanusri
> sri <jbhanusri at gmail.com <mailto:jbhanusri at gmail.com>>,
> <sudo-users at sudo.ws <mailto:sudo-users at sudo.ws>>
>
>
> well , before i m doing this, i have another solutions , i write a
> security binary to replace /usr/bin/sudo ,
>
> you are not able to execute sudo -s , sudo -i , sudo su , and even
> sudo /bin/bash.
>
> would you guys wanna try ?
>
> i just think it is not perfect enough.
>
> 在 2017/8/23 10:13, Goodman Leung 写道:
>
> well , before i m doing this, i have another solutions , i write
> a security binary to replace /usr/bin/sudo ,
>
> you are now able to execute sudo -s , sudo -i , sudo su , and even
> sudo /bin/bash.
>
> would you guys wanna try ?
>
> i just think it is not perfect enough.
>
> 在 2017/8/23 1:18, David Ledger 写道:
>
> On 22 Aug 2017, at 11:35, Goodman Leung wrote:
>
> yes , i agree with you ,
>
> only allow explicit commands is more effective , but we it
> is not easy to a running business system .
>
> 在 2017/8/22 15:28, Paul Cantle 写道:
>
>
> As a contact Unix SysAdmin since 1990 I’ve seen many
> ‘security’ scenarios, and the root (:-)) of your problem isn’t
> sudo, but most likely the security policy. Usually when it’s a
> battle between security and getting things done it means that
> the security policy is badly thought out. What you need are
> people who know what they are doing who are totally
> trustworthy and very careful how they do things. Externally
> produced security policies are the worst. Your company pays
> them money, they give you a policy; but it’s then not their
> problem that things can’t get done. Where it appears to work
> there’s usually a hidden back door somewhere.
>
> David
>
>
>
>
>
More information about the sudo-users
mailing list