Mike Kuriger writes: >sodo provides logging, and commands suck as /bin/sh etc can be put into >a group in /etc/sudoers and forbidden. then add users to the wheel >group who need sudo access. of course there are ways around the >forbidden things. you can be specific with which commands they can run >so that they don't write shell scripts and run them with sudo to bypass >the forbidden binaries.
>Cmnd_Alias SHELLS = /sbin/sh,\ > /bin/sh,/bin/csh,/bin/tcsh,/bin/ksh,\ > >/usr/bin/sh,/usr/bin/csh,/usr/bin/tcsh,/usr/bin/ksh >Cmnd_Alias FORBIDDEN = /bin/passwd root,/bin/su,/sbin/su >%wheel ALL = (ALL) ALL,!SHELLS,!FORBIDDEN Doesn't help. If you allow the user to sudo any program that allows them to shell out (i.e. vi, more) they can get a root shell. If you need to stop people with sudo access from getting a root shell you need to have only allow lists, not deny lists. And, obviously, you need to be very careful about what programs you allow them. I did once hack up both vi and more so users couldn't shell out, but unfortunately that code is long gone. -- Michael T Pins | "It is not knowable how long that conflict [EMAIL PROTECTED] | (Iraq) would last. It could last, you know, keeper of the nn sources | six days, six weeks. I doubt six months." ftp://ftp.nndev.org/pub | - Donald Rumsfeld, Feb 7, 2003
