Sudo and smitty Post: 302325147

Sponsored Content

Operating Systems AIX Sudo and smitty Post 302325147 by bakunin on Saturday 13th of June 2009 01:37:56 AM

06-13-2009

Registered User

Yes, you could do so but it would be VERY UNWISE to do it: sudo starts a shell (as root) and executes your command in it, then the shell is closed again. Suppose you do a "sudo ls -l": sudo opens a shell as root in this shell "ls" is executed under root privileges, then "ls" terminates, then the root shell terminates.

Now suppose you start a command which doesn't end immediately but is an interactive program like "ksh" or "smit": instead of doing its work it will expect the user to enter commands, which will be executed as - root, of course! The same is true for SMITty: start SMITty via sudo as root, use the "open shell" facility and you are root in this shell.

This means: if you allow anybody to use an interactive program via sudo you could also allow him to su to root directly. In effect it is the same.

I hope this helps.

bakunin

Corollary: i once worked in a bank where the "security department" (trained monkeys with a jargon file learned by heart) had insisted on using sudo for virtually every task. Additionally several files were only read/write for root and these files had to be edited sometimes. For this they set up a sudo-command like "vi /path/to/some/file". I simply used this command, did a shell escape from the vi - and had a root shell for my convenience. They are still wondering how i could advise them about their configuration problems (they had a lot) without having any access to the machine while their own administrators being root were still analysing.

It's so easy when you're evil.... Smilie

bakunin

View Public Profile for bakunin

Find all posts by bakunin

10 More Discussions You Might Find Interesting

1. AIX

Interesting SMITTY behavior

I have a couple systems that are acting strangely. In 'smitty tcpip' everything is displayed twice. Even going into the submenus (like minimum configuration and startup) everything is displayed twice. Has anyone seen this? Know how to fix it? Thanks

2. AIX

change ip in aix not using smitty

I want to change my ip by not using smitty, could please help me and what to edit files. So that everytime i will restart my server it will not change.

3. AIX

mksysb with smitty

Hello I need to make a mksysb, I try with smitty but I get the next message 0512-017 mksysb: Cannot write to the device /dev/rmt3. Either write protected or in use. My tape are ready to write ( dont get protection) I use the clean tape and I try with other tapes but I...

4. AIX

Question about Smitty Fs (backup an F.S)

hi all:cool: was just wonderin..by the way im new here..hi all:D...was just wonderin if i smitty fs backup a file system to tape if the permissions and ownership of the files and dir are retained?:confused: o.s is AIX 5.3L thanks all

5. HP-UX

command that is equivalent to smitty in IBM.

i need to change OS level parameter like number of user how to change system environment variable ??? equivalent to smitty in IBM

6. AIX

smitty mktcpip --> START Now

In "smitty mktcpip", the last item you can change is the "START Now". Does any one change this to "yes" when setting the IP? If so, what agrument would you use to convice others to use it also?

7. AIX

Cannot create user using SMITTY

i'm using smitty to create user...what happen is it prompt me "failed" with error 3004-703 Check "/etc/security/login.cfg" file. 3004-691 Error changing "shell". 3004-703 Check "/usr/lib/security/mkuser.default" file. 3004-721 Could not create user. 3004-703 Check...

8. Shell Programming and Scripting

ssh foo.com sudo command - Prompts for sudo password as visible text. Help?

I am writing a BASH script to update a webserver and then restart Apache. It looks basically like this: #!/bin/bash rsync /path/on/local/machine/ foo.com:path/on/remote/machine/ ssh foo.com sudo /etc/init.d/apache2 reloadrsync and ssh don't prompt for a password, because I have DSA encryption...

9. AIX

Usage of smitty alt_mksysb

Hello, in which situations should I use smitty alt_mksysb ? What is the general purpose of this tool. Thanks for help, p

10. UNIX for Advanced & Expert Users

Smitty

Hi All, Im new in aix, anyone can advice is there any way to understand smitty ?:confused: Thanks. TCP.

LEARN ABOUT MOJAVE

chroot

CHROOT(8)						    BSD System Manager's Manual 						 CHROOT(8)

NAME

     chroot -- change root directory

SYNOPSIS

     chroot [-u -user] [-g -group] [-G -group,group,...] newroot [command]

DESCRIPTION

     The chroot command changes its root directory to the supplied directory newroot and exec's command, if supplied, or an interactive copy of
     your shell.

     If the -u, -g or -G options are given, the user, group and group list of the process are set to these values after the chroot has taken
     place.  See setgid(2), setgroups(2), setuid(2), getgrnam(3) and getpwnam(3).

     Note, command or the shell are run as your real-user-id.

ENVIRONMENT

     The following environment variable is referenced by chroot:

     SHELL  If set, the string specified by SHELL is interpreted as the name of the shell to exec.  If the variable SHELL is not set, /bin/sh is
	    used.

SEE ALSO

     chdir(2), chroot(2), environ(7)

HISTORY

     The chroot utility first appeared in 4.4BSD.

SECURITY CONSIDERATIONS

     chroot should never be installed setuid root, as it would then be possible to exploit the program to gain root privileges.

4.3 Berkeley Distribution					  October 6, 1998					 4.3 Berkeley Distribution

10 More Discussions You Might Find Interesting

1. AIX

Interesting SMITTY behavior

Discussion started by: pmmill2

2. AIX

change ip in aix not using smitty

Discussion started by: kenshinhimura

3. AIX

mksysb with smitty

Discussion started by: lo-lp-kl

4. AIX

Question about Smitty Fs (backup an F.S)

Discussion started by: redmanshogun