[sudo-users] sudo remove -s and -i option
Maarten de Vries
maarten.de.zoveelste at gmail.com
Wed Aug 23 02:38:12 MDT 2017
On 23 Aug 2017 4:15 a.m., "Goodman Leung" <gbcbooksmj at gmail.com> wrote:
well , before i m doing this, i have another solutions , i write a
security binary to replace /usr/bin/sudo ,
you are not able to execute sudo -s , sudo -i , sudo su , and even sudo
/bin/bash.
would you guys wanna try ?
i just think it is not perfect enough.
I think it is a really bad idea. If jou want to prevent users executing
arbitrary commands jou MUST whitelist exactly the commands that they should
be able to use.
Blocking only shells is almost completely pointless because users can still
execute *every* other command from their own shell prefixed with sudo. The
only thing you would win is that every sudo invocation is logged. But if
they want they can destroy all logs on the local system.
Also, shells and editors are far from the only tools that allow you to
bypass sudo logging. Every script interpreter (python/ruby/perl/etc) can do
the same. And then there are many more interactive tools that allow users
to run arbitrary commands.
And if you did blacklist *everything* (which is impossible), then users can
just copy a blacklisted binary to their home folder with a different name
so it is not blacklisted anymore.
In short: if you want to allow users to run arbitrary commands as root, but
not shells, you're pretty much out of luck. If you want to allow them to do
some specific things as root, whitelist exactly those. Either way, writing
your own sudo is not the solution.
-- Maarten
More information about the sudo-users
mailing list