Constrained sudo is no substitute for proper security. If I was in charge of a database where personal details or credit card or financial information could be compromised I would not rely on constrained sudo.
The reason is that no matter how smart you think you are, some smarty pants always finds a way to abuse the root privileges they have been granted, possibly by exploiting a design flaw in the program they've been allowed to run as root. For example, I am pretty sure that psql can be used to write files with arbitrary content (use your imagination with \copy ... or \echo ...). I am pretty sure that as root you could overwrite /usr/bin/psql with another file of the same name that actually execs /bin/bash if invoked with a suitable command line option, but otherwise behaves just like /usr/bin/psql ... If you don't believe me try this: sudo psql <whatever ...> dbname=>\pset tuples_only dbname=>\o |/bin/bash dbname=>select 'id'; uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) There are many more sophisticated examples. The only solution is not to grant sudo to anyone you wouldn't grant root to. Cheers, Robin On Wed, 2012-03-14 at 12:24 -0400, Kris Deugau wrote: > Scott Ribe wrote: > > On Mar 14, 2012, at 9:01 AM, David Ondrejik wrote: > > > >> In Linux you can setup and use the "sudo" option. For those whom you don't > >> wish to have root access, simply make them sudousers, then change the root > >> password. This will force those users to simply type "sudo" (w/o quotes) > >> at the beginning of each command they want to run (i.e. sudo psql db_name > >> "insert into...."). > > > > Sure, you mean like this command: > > > > sudo su root > > If properly (mis)configured. > > On the other hand, you can provide very limited root access on a > command-by-command and user-by-user basis with more complex sudo > configurations, and while the first request will ask for a password, > further requests within the configured authorization timeout will still > be logged even if the user isn't asked for their password. > > -kgd >
