[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sudoers

Thanks! Steve and Judith...
as i understand, steve, you mean i should (for example) give permission to only use of vim or gedit; so i can prohibit the user to do vim /etc/sudoers or gedit /etc/sudoers ? 



El 01/10/13 11:28, Steve Langasek escribió:

On Tue, Oct 01, 2013 at 12:30:42PM -0300, Judith Buseghin wrote:

Sorry, I had an error in the script.
Corrected script:
#!bin/bash
chmod 554 /etc/sudoers
cp `echo $1` /etc/sudoers
chmod 440 /etc/sudoers

I think you misunderstood the intent, which was to *prevent* a user from
editing /etc/sudoers to give themselves expanded rights.

And I think the answer is that you can only do this effectively if you grant
the user access to a finite whitelist of programs... no globs across
/usr/bin/* or the like.  There are too many editors and other programs that
will give a user arbitrary file I/O.

BTW, not sure why in your script above you are setting /etc/sudoers mode
554.  That's setting an executable bit on the file, which serves no purpose;
and makes it world-readable, which is not wanted.

Cheers,



--
http://g0liv3ir4.wordpress.com
twitter g0liv3ir4
identi.ca goliveira
Reply to: