On Sat, 3 Nov 2007 18:22:16 -0500 (CDT) "Chris St. Pierre" <stpierre@xxxxxxxxxxxxxxxx> wrote: >> On Sat, 3 Nov 2007, Carville, Stephen wrote: >> > Do not give it all then try to deny certain commands. Any reasonably smart use >> > can defeat that. Start with nothing and allow only what is necessary. >> >> This is _excellent_ advice. >> >> Let's say you give someone sudo but don't allow them to run 'su'. I >> can think of half a dozen ways off the top of my head to get around >> that: >> >> 'sudo bash'; run su >> 'sudo screen'; run su >> 'sudo emacs'; M-x shell; run su >> 'sudo script su' >> Write a shell script that invokes su and run it with sudo >> 'true | sudo xargs su' >> >> That was after about 30 seconds of thought. A dedicated attacker >> could find significantly more avenues of attack. > less, vi and a number of other innocent looking programs > can be used to invoke a shell. If you _really_ have to give sudo root permission to one of those programs, get the src RPM, rebuild without the shell escape, and install the modified version. Frankly I think shell escapes should be eliminated but that's another argument. > Of course, if you can sudo vi, you could just edit the > sudoers file. > Stephen's advice is to be taken seriously. -- Stephen
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
