Re: shared root account

[Eric E Moore <e.e.moore@shef.ac.uk>]

>>>>> "Ethan" == Ethan Benson <erbenson@alaska.net> writes:

Ethan> On Sat, Jul 07, 2001 at 02:10:09AM +0100, Eric E Moore wrote:
>> I would be very shocked if you could compromise a system with a
>> sudoers entry of: me hostname = (root) /bin/cat

Ethan> i would not, being able to read every file on the system, even
Ethan> if you can't write is going to lead to compromise sooner or
Ethan> later.

ok, I *should* have said that it would not give any vulnerabilities
other than those granted by being able to read any file on the
system.   Unexpected compromises, I guess is what I meant, of the
nature that putting less in the sudoers file would provide.

Ethan> sudo is a very large cannon which is difficult to keep aimed
Ethan> away from the foot...
>>  That it is.  But then, the root password is basically a very large
>> cannon built into your shoe.

Ethan> i would not go that far.

Ok, the amount of aiming away from your foot that you can do with
giving someone priveleges by giving them the root password is a proper
subset of the aiming away from your foot that you can do when
granting priveleges through sudo.

  -Eric