[olug] /etc/sudoers notes for entries with multiple "tags".

Dan Linder dan at linder.org
Thu Aug 21 02:35:52 UTC 2008


On Wed, Aug 20, 2008 at 9:27 PM, Luke -Jr <luke at dashjr.org> wrote:
> On Wednesday 20 August 2008 13:53:45 Dan Linder wrote:
>> Additionally, I don't want them to be able to shell out (:shell) and
>> get a root prompt.  The NOEXEC stanza for sudoers turns this off:
>
> So instead I'll open /usr/bin/vi and replace it with /bin/sh :)

...well....  If you're able to replace /usr/bin/vi (a link owned by
root on my system), then you've already got root and hence game over.
:-)

The specific use of /usr/bin/vim in my post was just an example - in
my case the real executable was a perl script that doesn't have any
explicit exec calls, but just in case it would get called with a bad
set of inputs, this should help limit the exposure.

Remember, security in layers...

Or, security is like an Ogre...er, um, an Onion! :D (obShrek quote)

Dan

-- 
"Quis custodiet ipsos custodes?" (Who can watch the watchmen?) -- from
the Satires of Juvenal
"I do not fear computers, I fear the lack of them." -- Isaac Asimov (Author)
** *** ***** ******* *********** *************



More information about the OLUG mailing list