Re: sudo logging
Berthold Cogel <cogel@uni-koeln.de> writes:
[...]
> We're doing somthing like this in /etc/sudoers:
>
>
> Cmnd_Alias SHELLS = /bin/sh, \
> /bin/bash, \
> /bin/bash2, \
[...]
> TRUSTED_USR ALL = NOPASSWD: ALL ,!SHELLS, NOROOT
This works well for letting users know they shouldn't be running a
shell, but beyond that it can be easily bypassed. A user could run vi
then type ":!/bin/bash" to get a shell, for example, or copy /bin/bash
into their home directory and run it from there.
---Scott.
Reply to: