Re: SUDO

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jun 29, 2009 at 4:37 PM, mark <m.roth2006@xxxxxxx> wrote:

> hike wrote:
> > On Mon, Jun 29, 2009 at 3:49 PM, mark <m.roth2006@xxxxxxx> wrote:
> >> hike wrote:
> >>> On Mon, Jun 29, 2009 at 10:16 AM, Mertens, Bram <mertensb@xxxxxxxxxxxx
> >>> wrote:
> >>>
> >>>> I'd like to elaborate on this a bit.
> >>>>
> >>>> The intention of sudo is to allow specific users to execute specific
> >>>> commands while keeping the root account locked down.  In addition sudo
> >>>> provides a trace of which user executed which command in
> /var/log/secure
> >>>> that can be used for auditing.
> >>>>
> >>>> The sudoers file should allow as little as possible to as few users as
> >>>> possible!
> >>>>
> >>>> If you allow users to execute sudo su - with or without having to
> enter
> >>>> the root password you gain nothing.  While working as root no actions
> >>>> are logged and all log files can be edited to remove any trace of
> >>>> "illegal" actions.
> >> <snip>
> >>> the op wants to hack the system and gain resources he has no
> >>> authorization for. Or the managers don't want to share root password,
> say,
> >>> with a contractor, who
> >> they've hired as a sysadmin, but will only be there a few months, and
> they
> >> don't want to have to change root passwords.
> >
> > that is a distinction without a difference.
> >
> > the op wants to hack the system and gain resources he has no
> authorization
> > for.
>
> You're completely wrong. If, in my example, the contractor is granted the
> individual account, and group access to explicitly allow that - and it *is*
> a
> specific specification in /etc/sudoers, it may be management's intent to
> have
> them do it that way.
>
> That was exactly the case for me on a recent contract. My managers told me
> to
> do it that way.
>
> So, it is both a distinction *and* a difference.
>
>        mark
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>


not really.

any time the op oversteps his authorized usage of a machine, he has crossed
the line.

so, whether he is a user trying to gain root access or a sudo-er trying to
gain root access, he is doing the same thing in either case--the gaining of
increased right that he is now authorized to gain.

just because the op has some rights (and we don't know that is the case),
there is no approval beyond those rights; the taking of unapproved rights
was the topic i was discussing and it appears that the op is purposing to
take unapproved rights.
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux