Sudo & su
Chris St. Pierre
stpierre at NebrWesleyan.edu
Sat Nov 3 23:22:16 UTC 2007
On Sat, 3 Nov 2007, Carville, Stephen wrote:
>
>> A user with sudoer privileges is able to get root using "sudo su -". I
>> find this extremely irritating. I prefer to keep access to root limited
>> number of administrators in my organisation, but the applications
>> running on the system require the application owners to be able to run
>> root only commands. It seems this be a global behavior, I have seen it
>> on RHEL, Fedora and AIX5.3.
>> Is there a way to force the system to request for the root password? Or
>> restrict 'sudo' users from using 'su'?
>
> Do not give it all then try to deny certain commands. Any reasonably smart use
> can defeat that. Start with nothing and allow only what is necessary.
This is _excellent_ advice.
Let's say you give someone sudo but don't allow them to run 'su'. I
can think of half a dozen ways off the top of my head to get around
that:
'sudo bash'; run su
'sudo screen'; run su
'sudo emacs'; M-x shell; run su
'sudo script su'
Write a shell script that invokes su and run it with sudo
'true | sudo xargs su'
That was after about 30 seconds of thought. A dedicated attacker
could find significantly more avenues of attack.
The moral of the story is this: if you are granting someone root, but
don't want them to have a non-logged root shell, you a) will have to
limit what they can do as root extensively; and b) be very careful
about what you allow. Stephen speaks words of great wisdom.
Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University
More information about the redhat-list
mailing list