On 02/08/2012 02:49 PM, James Wilkinson wrote: > Steven Stern wrote: >> I keep meaning to edit the sudo config files to block things like >> >> sudo su - >> sudo bash >> >> but I get lazy. Someday, this will bite me in the ***. > > Note for anyone considering this: it’s virtually impossible to make this > watertight, because there are too many ways for someone to get around > it. > > For example, what happens if someone creates a bash script and then runs > it with sudo? Can people make sudo-run programs overwrite a program that > they can then run with sudo, or a program that root will run normally? > Can programs on the list be persuaded to run an editor or a shell? > > You really need to start with a very short whitelist, and add to it as > required. > > James. > Exactly. Don't give anyone sudo you wouldn't trust with root, yourself included. -- -- Steve -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
