[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: su question



On Sat, Jul 08, 2000 at 01:51:49AM -0400, Ben Collins wrote:
> 
> But of course that's why sudo allows you to restrict usage to certain
> commands defined in /etc/sudoers. Obviously this limits the compromise
> even further. Being able to give certain users access to specific
> commands, without giving them the root password, also lessons the result
> of a compromise.
> 
> su gives you none of this.

again agreed, however one must be quite careful of what you give to a
sudoer. for example allowing a user to run:

sudo vi /etc/somefile

is the same as giving them this:

sudo bash

since vi allows shell escapes as does pretty much every editor i have
used. 

and of course giving sudo permission to emacs is most certainly root
since emacs is an entire OS environment all its own ;-)

i only use sudo for some commands for which i am almost completly
certain won't give out a root shell.  for example sudo shutdown -r
now, sudo mount -o remount,r[ow] /usr[/local].

however something like sudo make install is giving out root, since a
user can simply write a Makefile that installs a suidroot shell. 

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpdx_Vz9ydy_.pgp
Description: PGP signature


Reply to: