On Fri, Jul 06, 2001 at 09:29:54AM -0700, Robert L. Yelvington wrote: > admittedly, i am not very familiar with sudo because i have never seen the > practical advantages of making su'ing more of a hassle by having to manage > another set of conf files and keeping track of who's a sudoer and, > therefore, have chosen not to use it. > > what's to stop a person, once they've sudo'd, from editing /etc/sudoers and > giving themselves more privs? [ please avoid jeopardy style quoting ] If sudo already allows a user to run "ALL" commands as root, what privs could they possibly gain? OTOH if you restrict the user to a list of commands in /etc/sudoers, it's wise to consider whether the user might be able to leverage one of those commands to edit /etc/sudoers (or any other file). If you're going to list "emacs" or "vi" in /etc/sudoers, you might as well just list "ALL" :) -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:nnorman@micromuse.com | -- Patton
Attachment:
pgp9R8egvA3eY.pgp
Description: PGP signature