On Sat, 3 Nov 2007 18:22:16 -0500 (CDT) "Chris St. Pierre" <stpierre@xxxxxxxxxxxxxxxx> wrote: > On Sat, 3 Nov 2007, Carville, Stephen wrote: > > Do not give it all then try to deny certain commands. Any reasonably smart use > > can defeat that. Start with nothing and allow only what is necessary. > > This is _excellent_ advice. > > Let's say you give someone sudo but don't allow them to run 'su'. I > can think of half a dozen ways off the top of my head to get around > that: > > 'sudo bash'; run su > 'sudo screen'; run su > 'sudo emacs'; M-x shell; run su > 'sudo script su' > Write a shell script that invokes su and run it with sudo > 'true | sudo xargs su' > > That was after about 30 seconds of thought. A dedicated attacker > could find significantly more avenues of attack. less, vi and a number of other innocent looking programs can be used to invoke a shell. Of course, if you can sudo vi, you could just edit the sudoers file. Stephen's advice is to be taken seriously. -- "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." - Brian W. Kernighan -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
