[sudo-users] sudo remove -s and -i option

Goodman Leung gbcbooksmj at gmail.com
Wed Aug 23 08:31:57 MDT 2017

here is the output when my user execute sudo /bin/bash

user1 at kickseed:~$ sudo /bin/bash
Traceback (most recent call last):
   File "<string>", line 92, in <module>
   File "<string>", line 33, in check_element
IndexError: list index out of range

i thing they get the same result when they use /bin/sh instead .

do you know any aother command can get a root shell ?

在 2017/8/23 16:38, Maarten de Vries 写道:
> On 23 Aug 2017 4:15 a.m., "Goodman Leung" <gbcbooksmj at gmail.com 
> <mailto:gbcbooksmj at gmail.com>> wrote:
>     well ,  before i m doing this, i have another solutions , i write
>     a security binary to replace /usr/bin/sudo ,
>     you are not able to execute sudo -s , sudo -i , sudo su , and even
>     sudo /bin/bash.
>     would you guys wanna try ?
>     i just think it is not perfect enough.
> I think it is a really bad idea. If jou want to prevent users 
> executing arbitrary commands jou MUST whitelist exactly the commands 
> that they should be able to use.
> Blocking only shells is almost completely pointless because users can 
> still execute *every* other command from their own shell prefixed with 
> sudo. The only thing you would win is that every sudo invocation is 
> logged. But if they want they can destroy all logs on the local system.
> Also, shells and editors are far from the only tools that allow you to 
> bypass sudo logging. Every script interpreter (python/ruby/perl/etc) 
> can do the same. And then there are many more interactive tools that 
> allow users to run arbitrary commands.
> And if you did blacklist *everything* (which is impossible), then 
> users can just copy a blacklisted binary to their home folder with a 
> different name so it is not blacklisted anymore.
> In short: if you want to allow users to run arbitrary commands as 
> root, but not shells, you're pretty much out of luck. If you want to 
> allow them to do some specific things as root, whitelist exactly 
> those. Either way, writing your own sudo is not the solution.
> -- Maarten

More information about the sudo-users mailing list