Sudo & su

Chris St. Pierre stpierre at NebrWesleyan.edu
Sat Nov 3 23:22:16 UTC 2007


On Sat, 3 Nov 2007, Carville, Stephen wrote:

>
>> A user with sudoer privileges is able to get root using "sudo su -". I
>> find this extremely irritating. I prefer to keep access to root limited
>> number of administrators in my organisation, but the applications
>> running on the system require the application owners to be able to run
>> root only commands. It seems this be a global behavior, I have seen it
>> on RHEL, Fedora and AIX5.3.
>> Is there a way to force the system to request for the root password? Or
>> restrict 'sudo' users from using 'su'?
>
> Do not give it all then try to deny certain commands.  Any reasonably smart use
> can defeat that.  Start with nothing and allow only what is necessary.

This is _excellent_ advice.

Let's say you give someone sudo but don't allow them to run 'su'.  I
can think of half a dozen ways off the top of my head to get around
that:

'sudo bash'; run su
'sudo screen'; run su
'sudo emacs'; M-x shell; run su
'sudo script su'
Write a shell script that invokes su and run it with sudo
'true | sudo xargs su'

That was after about 30 seconds of thought.  A dedicated attacker
could find significantly more avenues of attack.

The moral of the story is this: if you are granting someone root, but
don't want them to have a non-logged root shell, you a) will have to
limit what they can do as root extensively; and b) be very careful
about what you allow.  Stephen speaks words of great wisdom.

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University




More information about the redhat-list mailing list