1 |
Also, I believe sudo has 'sudoedit' or something along those lines, |
2 |
which presumably allows you to edit a copy of the file before suid, |
3 |
then copies the file back. |
4 |
|
5 |
On 10/12/06, Janne Pikkarainen <jaba@××××××××××.fi> wrote: |
6 |
> Hello everyone, |
7 |
> |
8 |
> I just joined gentoo-server mailing list yesterday. I've been semi-active in |
9 |
> Gentoo forums since 2003, though, so some of you might recognize me from |
10 |
> there. |
11 |
> |
12 |
> On Friday 13 October 2006 01:06, Christian Spoo wrote: |
13 |
> > Ricardo Loureiro schrieb: |
14 |
> > > That works well, until the users type sudo bash like I saw many ppl |
15 |
> > > doing... |
16 |
> > |
17 |
> > Then you can restrict the commands your guys are allowed to execute. |
18 |
> > It's very easily handled in the sudoers file. |
19 |
> > |
20 |
> > In typical LAMP installations you could configure, separate DB admin, |
21 |
> > WWW admin, etc. and each one is only permitted to run a few commands. |
22 |
> |
23 |
> sudo is all fine and dandy, but it's one of those tools which allow you to |
24 |
> shoot yourself to foot. The ability to give users root access to only handful |
25 |
> of commands is a blessing - then again, it's also a curse. |
26 |
> |
27 |
> There is a built-in shell escape functionality built-in to many commands, and |
28 |
> if some user has sudo access to such command, it's easy to spawn a separate |
29 |
> root shell from there. Let's say your co-admins need to edit config files and |
30 |
> they like to do it with vim, so you give them sudo access to vim. Well... |
31 |
> just try what happens if you run "sudo vim" and give :!bash command in vim. |
32 |
> |
33 |
> That leads to root bash and lost audit trail. That's why I personally do not |
34 |
> trust just sudo. If I really need a reliable audit trail, I'll use something |
35 |
> like grsecurity audit groups instead. |
36 |
> |
37 |
> Just something to think about. :-) Of course there are plenty of commands |
38 |
> without external command support and most of the time sudo is secure enough. |
39 |
> -- |
40 |
> gentoo-server@g.o mailing list |
41 |
> |
42 |
> |
43 |
-- |
44 |
gentoo-server@g.o mailing list |