| 1 |
Also, I believe sudo has 'sudoedit' or something along those lines, |
| 2 |
which presumably allows you to edit a copy of the file before suid, |
| 3 |
then copies the file back. |
| 4 |
|
| 5 |
On 10/12/06, Janne Pikkarainen <jaba@××××××××××.fi> wrote: |
| 6 |
> Hello everyone, |
| 7 |
> |
| 8 |
> I just joined gentoo-server mailing list yesterday. I've been semi-active in |
| 9 |
> Gentoo forums since 2003, though, so some of you might recognize me from |
| 10 |
> there. |
| 11 |
> |
| 12 |
> On Friday 13 October 2006 01:06, Christian Spoo wrote: |
| 13 |
> > Ricardo Loureiro schrieb: |
| 14 |
> > > That works well, until the users type sudo bash like I saw many ppl |
| 15 |
> > > doing... |
| 16 |
> > |
| 17 |
> > Then you can restrict the commands your guys are allowed to execute. |
| 18 |
> > It's very easily handled in the sudoers file. |
| 19 |
> > |
| 20 |
> > In typical LAMP installations you could configure, separate DB admin, |
| 21 |
> > WWW admin, etc. and each one is only permitted to run a few commands. |
| 22 |
> |
| 23 |
> sudo is all fine and dandy, but it's one of those tools which allow you to |
| 24 |
> shoot yourself to foot. The ability to give users root access to only handful |
| 25 |
> of commands is a blessing - then again, it's also a curse. |
| 26 |
> |
| 27 |
> There is a built-in shell escape functionality built-in to many commands, and |
| 28 |
> if some user has sudo access to such command, it's easy to spawn a separate |
| 29 |
> root shell from there. Let's say your co-admins need to edit config files and |
| 30 |
> they like to do it with vim, so you give them sudo access to vim. Well... |
| 31 |
> just try what happens if you run "sudo vim" and give :!bash command in vim. |
| 32 |
> |
| 33 |
> That leads to root bash and lost audit trail. That's why I personally do not |
| 34 |
> trust just sudo. If I really need a reliable audit trail, I'll use something |
| 35 |
> like grsecurity audit groups instead. |
| 36 |
> |
| 37 |
> Just something to think about. :-) Of course there are plenty of commands |
| 38 |
> without external command support and most of the time sudo is secure enough. |
| 39 |
> -- |
| 40 |
> gentoo-server@g.o mailing list |
| 41 |
> |
| 42 |
> |
| 43 |
-- |
| 44 |
gentoo-server@g.o mailing list |
Archives