Sudo & su
Vivek J. Patankar
vivek.patankar at gmail.com
Sun Nov 4 05:46:35 UTC 2007
Rik van Riel wrote:
> On Sat, 3 Nov 2007 18:22:16 -0500 (CDT)
> "Chris St. Pierre" <stpierre at NebrWesleyan.edu> wrote:
>
>> On Sat, 3 Nov 2007, Carville, Stephen wrote:
>
>>> Do not give it all then try to deny certain commands. Any reasonably smart use
>>> can defeat that. Start with nothing and allow only what is necessary.
>> This is _excellent_ advice.
>>
>> Let's say you give someone sudo but don't allow them to run 'su'. I
>> can think of half a dozen ways off the top of my head to get around
>> that:
>>
>> 'sudo bash'; run su
>> 'sudo screen'; run su
>> 'sudo emacs'; M-x shell; run su
>> 'sudo script su'
>> Write a shell script that invokes su and run it with sudo
>> 'true | sudo xargs su'
>>
>> That was after about 30 seconds of thought. A dedicated attacker
>> could find significantly more avenues of attack.
>
> less, vi and a number of other innocent looking programs
> can be used to invoke a shell.
>
> Of course, if you can sudo vi, you could just edit the
> sudoers file.
>
> Stephen's advice is to be taken seriously.
Thanks everybody, for all the good advise.
--
Regards,
विवेक ज. पाटणकर (Vivek J. Patankar)
Registered Linux User #374218
Fedora release 7 (Moonshine)
Linux 2.6.22.4-65.fc7 x86_64
More information about the redhat-list
mailing list