Hi Derek Thanks for your opinion and advice.I documented in the ChangeLog and the Manpages that I've made some changes, and it's also in the sourcecode itself (documented as HEV "These are changes for sudo"). I also wrote it in Authors, that the sudo additions aren't written by you. If you want me to change the name itself, I will. I thought it'd suffice to just name it "rssh with sudo" (wouldn't find any better name, since rssh fits perfectly).
Of course it's not thought to allow full sudo access to anybody. We have only restricted sudo (I bet this is difficult, but security is a hard thing to deal with, I guess). And you're sure right if you say that there are many ways to get another shell via some commands (which may be allowed via sudo). We just needed something more secure than our old script (and to be honest, not even that one was abused by our users, I think..). rssh did that, even with sudo access.
Have a nice day :) Quoting Derek Martin <c...@pizzashack.org>:
On Thu, Jun 30, 2011 at 01:21:51PM +0200, Aurelin wrote:You can find the download here: http://aurelin.net/downloads.htm Uhm, I versioned it as rssh-2.3.4-2 (2.3.4 for sudo addition, -1 for the rsync-patch, -2 for some corrections and changes), but I'm not sure whether this is okay, so if not, please tell me. I'm a noob, concerning versioning and such.. ;)What you've done effectively is forked the code. That's perfectly OK, but you probably should give it a different name to indicate that it is no longer the main line code. Or at least clearly document somewhere in the software distribution that you've made changes that are not in the original code line. As for the changes themselves, I'm inclined to think that it's a bad idea, generally. It only makes sense in the context of restricting sudo (allowing full sudo completely defeats the purpose of rssh). In the general case, configuring restricted sudo access is quite difficult to get right... so many things allow you to get a shell, not always in obvious ways. A bug in sudo or any unexpected shell access results in a complete system compromise, *even if you use a chroot jail*. I would personally never ever give sudo access to any user whom I did not completely trust to have full root access to my machine. YMMV. :) -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D
binizBlWwp05P.bin
Description: PGP Public Key
pgpYPenoVLpxA.pgp
Description: PGP Digital Signature
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________ rssh-discuss mailing list rssh-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rssh-discuss
