Re: sudo logging

To: Berthold Cogel <cogel@uni-koeln.de>
Cc: debian-user <debian-user@lists.debian.org>
Subject: Re: sudo logging
From: Scott Gifford <sgifford@suspectclass.com>
Date: Wed, 22 Jul 2009 11:11:25 -0400
Message-id: <[🔎] lyk520oiqq.fsf@gfn.org>
In-reply-to: <[🔎] 4A66FE47.8020406@uni-koeln.de> (Berthold Cogel's message of "Wed, 22 Jul 2009 13:55:51 +0200")
References: <1cbd6f830906101657q8212a84r609d8577ef6b5ed@mail.gmail.com> <[🔎] 4A66FE47.8020406@uni-koeln.de>

Berthold Cogel <cogel@uni-koeln.de> writes:

[...]

> We're doing somthing like this in /etc/sudoers:
>
>
> Cmnd_Alias	SHELLS =	/bin/sh, \
> 				/bin/bash, \
> 				/bin/bash2, \

[...]

> TRUSTED_USR  ALL = NOPASSWD:	ALL ,!SHELLS, NOROOT

This works well for letting users know they shouldn't be running a
shell, but beyond that it can be easily bypassed.  A user could run vi
then type ":!/bin/bash" to get a shell, for example, or copy /bin/bash
into their home directory and run it from there.

---Scott.

Reply to:

References:
- Re: sudo logging
  - From: Berthold Cogel <cogel@uni-koeln.de>

Prev by Date: Re: Maintaining personal backports
Next by Date: Re: [OT] GNU - Linux and Debian.......
Previous by thread: Re: sudo logging
Next by thread: Re: sudo logging
Index(es):
- Date
- Thread