On Thu, Jan 01, 2004 at 03:19:53PM -0800, Ben Barrett wrote: > Ah yes, sudo is a Good Thing, although be wary of allowing "sudo su", for if > you are trying to limit your normal users' actions, and get a log of what > they sudo, you'll only ever see that they became root, at which point they > have untrackable control.
That's only the tip of the iceberg, so to speak. Don't forget that such seemingly harmless programs as 'less' and 'more' can execute commands, like "!sh". The only really effective way to limit what users can do with sudo is explicitly list, with full pathnames and making sure there's no way for the user to modify, which programs and possibly with which arguments they are allowed to sudo. If they run 'sudo su', that action will be logged, not only in the sudo log, but also the security/login logs. The best way to stop that kind of behaviour is by policy, making 'sudo su' grounds for termination. The sudo-users mailing list archive http://www.sudo.ws/pipermail/sudo-users/, is full of sudo "gotchas" and solutions. -- <[EMAIL PROTECTED]> _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
