John E Hein
jhein at timing.com
Mon Jan 14 10:43:46 EST 2002
Simon Perreault wrote at 06:49 -0500 on Jan 14:
> He would have to have sudo privileges with mkdir and mount to do such a
> thing. I think it's up to the admin to prevent that possibility. For example,
> I have sudo privileges on a box which enable me to do "sudo su". It's the
> admin's fault.
> If you allow cp then that user can trash your system. You just don't give
> such privileges to untrustworthy people. Think of another case: that user
> mounts an empty partition as /usr/bin. There, nothing works. sudo is only
> secure as long as you trust the user.
Yes... I agree with all that. What you said helps to make my
point... in short: sudo admins using such a recursive Cmnd_Alias will
have to take extra care to prevent their sudoers from being able to modify
the dir tree at all. As I said, I see the reason you want this behavior.
I was just answering your inquiry if anyone saw any potential security
problems. You asked ;)
> > You wanted feedback on things to consider if you wanted to implement
> > this option. Maybe you want to have an option to disallow mount point
> > traversal. There's a lot of issues and maybes that will come up if you
> > want to allow sudo'd commands under a tree as you suggest. It made me
> > think of a chroot... sorry you didn't see the parallel.
> Ah, I see it now. But I don't think chrooting would be feasible/needed.
No... not my point about the parallel between your "all subdirectories
Cmnd_Alias" and chroot. I'm not talking about allowing or implementing
chroot for this. Never mind.
More information about the sudo-workers