On Sat, Jul 08, 2000 at 01:51:49AM -0400, Ben Collins wrote: > > But of course that's why sudo allows you to restrict usage to certain > commands defined in /etc/sudoers. Obviously this limits the compromise > even further. Being able to give certain users access to specific > commands, without giving them the root password, also lessons the result > of a compromise. > > su gives you none of this. again agreed, however one must be quite careful of what you give to a sudoer. for example allowing a user to run: sudo vi /etc/somefile is the same as giving them this: sudo bash since vi allows shell escapes as does pretty much every editor i have used. and of course giving sudo permission to emacs is most certainly root since emacs is an entire OS environment all its own ;-) i only use sudo for some commands for which i am almost completly certain won't give out a root shell. for example sudo shutdown -r now, sudo mount -o remount,r[ow] /usr[/local]. however something like sudo make install is giving out root, since a user can simply write a Makefile that installs a suidroot shell. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgptntYsPxtb9.pgp
Description: PGP signature