RE: Sudo & su

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 3 Nov 2007, Carville, Stephen wrote:


A user with sudoer privileges is able to get root using "sudo su -". I
find this extremely irritating. I prefer to keep access to root limited
number of administrators in my organisation, but the applications
running on the system require the application owners to be able to run
root only commands. It seems this be a global behavior, I have seen it
on RHEL, Fedora and AIX5.3.
Is there a way to force the system to request for the root password? Or
restrict 'sudo' users from using 'su'?

Do not give it all then try to deny certain commands.  Any reasonably smart use
can defeat that.  Start with nothing and allow only what is necessary.

This is _excellent_ advice.

Let's say you give someone sudo but don't allow them to run 'su'.  I
can think of half a dozen ways off the top of my head to get around
that:

'sudo bash'; run su
'sudo screen'; run su
'sudo emacs'; M-x shell; run su
'sudo script su'
Write a shell script that invokes su and run it with sudo
'true | sudo xargs su'

That was after about 30 seconds of thought.  A dedicated attacker
could find significantly more avenues of attack.

The moral of the story is this: if you are granting someone root, but
don't want them to have a non-logged root shell, you a) will have to
limit what they can do as root extensively; and b) be very careful
about what you allow.  Stephen speaks words of great wisdom.

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux