On Thu, 1 Jan 2004 21:01:14 -0800 Jacob Meuser <[EMAIL PROTECTED]> wrote:
| On Thu, Jan 01, 2004 at 03:19:53PM -0800, Ben Barrett wrote: | > Ah yes, sudo is a Good Thing, although be wary of allowing "sudo su", | > for if you are trying to limit your normal users' actions, and get a log | > of what they sudo, you'll only ever see that they became root, at which | > point they have untrackable control. | | That's only the tip of the iceberg, so to speak. Don't forget that | such seemingly harmless programs as 'less' and 'more' can execute | commands, like "!sh". Are you talking about control-Z suspend or something else? | | The only really effective way to limit what users can do with sudo is | explicitly list, with full pathnames and making sure there's no way for | the user to modify, which programs and possibly with which arguments | they are allowed to sudo. | | If they run 'sudo su', that action will be logged, not only in the | sudo log, but also the security/login logs. The best way to stop | that kind of behaviour is by policy, making 'sudo su' grounds for | termination. That's not going to help when an attacker gets ahold of someone's password, then you're mostly SOL, except for finding out when the bad person did the "sudo su" -- if they didn't remove the logs! For instance, once someone becomes root, they could remount the filesystem with "noatime" so that any files they peek or poke don't change their last-access-time field... very effective. If "sudo su" is undesirable, I would say that the most effective ways to block that action, is as you say, allowing only a specific list of path/executables available for sudo'ing -- or just don't use sudo. Without sudo, you might take advantage of a chrooted environment, or a usermode linux (UML)... or something similar. Other ideas, anyone? | | The sudo-users mailing list archive | http://www.sudo.ws/pipermail/sudo-users/, | is full of sudo "gotchas" and solutions. | thanks! _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
