> That's a huge security hole, btw. Don't do that!
this is an attempt to be more security minded, not less. Only admins would
have access to those sudo commands.

For example, if I am root and issue the command:

echo "newroot:x:0:0:root:/root:/bin/bash" >> /etc/passwd

then who added the newroot user?  root did, but there is no audit trail.
If I am a trusted admin and I log in with my own user ID, and must use sudo
in the command, then there is an audit trail.

    -Mike



On Fri, Jul 10, 2015 at 4:02 AM, Karsten Hopp <[email protected]> wrote:

> That's a huge security hole, btw. Don't do that!
>
> echo "newroot:x:0:0:root:/root:/bin/bash" | /usr/bin/tee /etc/passwd
>
> a similiar command for /etc/shadow and you've gained root.
>
>
>
> Am 09.07.2015 um 18:06 schrieb Michael MacIsaac:
>
>> Let me answer my own question.  Perhaps kludgy, but by adding 'tee' to
>> sudo, this technique works:
>>
>> root@lab141:~ # visudo
>> root@lab141:~ # tail -1 /etc/sudoers
>> %zoom ALL=NOPASSWD:/usr/bin/tee
>> root@lab141:~ # su - mike
>> mike@lab141:~ # free -m
>>               total       used       free     shared    buffers     cached
>> Mem:           491        473         18          0        111        170
>> -/+ buffers/cache:        190        300
>> Swap:          512          0        511
>> mike@lab141:~ # echo 3 | sudo /usr/bin/tee /proc/sys/vm/drop_caches >
>> /dev/null
>> mike@lab141:~ # free -m
>>               total       used       free     shared    buffers     cached
>> Mem:           491        103        388          0          1         12
>> -/+ buffers/cache:         89        401
>> Swap:          512          0        511
>>
>>
>>
>> ----------------------------------------------------------------------
>> For LINUX-390 subscribe / signoff / archive access instructions,
>> send email to [email protected] with the message: INFO LINUX-390 or
>> visit
>> http://www.marist.edu/htbin/wlvindex?LINUX-390
>> ----------------------------------------------------------------------
>> For more information on Linux on System z, visit
>> http://wiki.linuxvm.org/
>>
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to [email protected] with the message: INFO LINUX-390 or
> visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
> ----------------------------------------------------------------------
> For more information on Linux on System z, visit
> http://wiki.linuxvm.org/
>

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Reply via email to