hbo at egbok.com
Sun May 23 22:06:42 EDT 2004
Those are both good reasons, IMHO. It's neither "security through
obscurity" or false security to keep the number of headaches caused by
novice, root-enabled users to a minimum by putting a small barrier in
their way. Sometimes small is good enough.
I also have no problem with expressing a policy of "no root shells" by
using the '!SHELLS' syntax. If you take the position that nothing is
going to stop a determined and/or knowledgeable insider from gaining
root and evading your audit trail, then the nonexistent technical
barrier such sudoers entries provide is consistent with that view.
What's makes it tricky is the near certainty that someone who matters in
management is going to look at that and think that it really does
provide what it seems to: assurance that privileged users can't run
unaudited shells. On vanilla Linux/Unix, there's actually no way to
prevent that, with or without sudo, as far as I know.
Perhaps it would be good to provide the ability to express constructs
like these in the LDAP schema? After all, plain 'ol sudoers still lets
you do this. I imagine the capability hasn't been removed because too
many folks rely on it.
On Sun, 2004-05-23 at 17:41, Galen Johnson wrote:
> Believe me, I am under no illusions as to the security of excluding shells and know of several ways around them. As you say, this is more for the ability to slap hands when they are caught and it does stop neophytes from getting a shell. Many of my users are from a Windows world and have trouble moving around without a gui (go figure).
> -----Original Message-----
> From: sudo-users-bounces at sudo.ws on behalf of Howard Owen
> Sent: Sun 5/23/2004 2:26 AM
> To: Aaron Spangler
> Cc: sudo-users at sudo.ws; Galen Johnson
> Subject: Re: Ldif format
> On Sat, 2004-05-22 at 21:06, Aaron Spangler wrote:
> > Essentially there is an infinite amount of commands and permutations that
> > essentially give you some sort of shell. Because of this, it does not make
> > sense to allow a feature that gives the admin a false sense of security.
> > As a result, the !command feature was dropped before it became generally
> > available.
> I'm always amazed at organizations that persist in using the '!SHELLS'
> syntax. Knowing that many people who do this are not stupid makes it
> even harder to credit. I've finally come to the conclusion that many
> groups do this as an expression, rather than an enforcement of policy.
> If someone is caught doing something stupid or malicious in a root
> shell, management can say "you evaded our clear policy against root
> You may or may not consider this alternate interpretation of excluding
> shells from 'ALL' as legitimate, or worth the confusion of people who
> believe such an exclusion actually works, but I thought I'd mention it.
Howard Owen "Even if you are on the right
EGBOK Consultants track, you'll get run over if you
hbo at egbok.com +1-650-218-2216 just sit there." - Will Rogers
More information about the sudo-workers