[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Sudo was[Re: Emacs from Xterm]

On Fri, 2002-07-05 at 10:57, Joseph Dane wrote:

> *but*, people often overestimate the safety provided by sudo.  many
> editors allow shell escapes, so anyone who can sudo one of these
> editors can get a root shell.  

Exactly. I remember in my bad old days as an Amazon.com sysadmin. The
security powers that be decided that the sysadmins shouldn't know the
root password, and could only do their job with sudo. In addition, the
security guys wanted to prevent sysadmins from using root shells, so
they weren't allowed to sudo any command that matched the .*sh regexp. 

The admins just made a game of finding the shortest method of getting a
root shell via sudo, and there were plenty of innovative ways to do it,
including many that would never look like you were getting a shell, even
if you monitored the sudo logs.

Note, I am not making this up. Amazon could be a pretty fscked place to
work sometimes, which probably explains why I quit.

-- 
Dave Carrigan
Seattle, WA, USA
dave@rudedog.org | http://www.rudedog.org/ | ICQ:161669680
UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-C++-DNS-PalmOS-PostgreSQL-MySQL

Dave is currently listening to Van Morrison - Astral Weeks (Astral
Weeks)


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: