The UNIX and Linux Forums  

Go Back   The UNIX and Linux Forums > Special Forums > Security
Reload this Page sudo question
Google UNIX.COM
Forums Portal Register Forum Rules FAQContribute Members List Arcade Search Today's Posts Mark Forums Read



Thread: sudo question
View Single Post in UNIX Forums - Click on the Thread or Permalink to View Entire Thread -->
  #11 (permalink)  
Old 05-18-2008
era era is offline
Herder of Useless Cats
  

Join Date: Mar 2008
Location: /there/is/only/bin/sh
Posts: 3,650
Quote:
Originally Posted by divh18 View Post
Yes any user can copy bash to /userpath/notbash
But when a non root user issues a sudo notbash,
the user will need to enter root's password to gain root priveleges.
This is not correct. sudo only requires the user's own password.

If I understand correctly, you have configured sudo to allow these users to execute any command they want, and then separately prohibited the shell, in order to prevent them from evading the logging.

The problem is that you cannot enforce your policy if you have a "permit unless prohibited" policy. Only with "prohibit unless permitted" and by explicitly listing the commands the users are allowed to execute as admin can you meaningfully enforce your policy.

These are your options; I don't think you like the answer, but that's how it is. Either explicitly list all the permitted commands, or live with the fact that some user could come up with a workaround to evade the logging. If you trust them to run arbitrary commands, what's to prevent them from installing a remote backdoor if they wanted to? It's "turtles all the way down".
Reply With Quote