su: blacklist users
Dominic Lepiane
archangel
Fri May 26 10:49:22 PDT 2006
On May 26, 2006 08:36 am, Net Llama! wrote:
> On Fri, 26 May 2006, Dominic Lepiane wrote:
> > On May 25, 2006 09:04 pm, Man-wai CHANG wrote:
> > > > So far as I know, the best way to control access to who has access to
> > > > super-user privileges is with "sudo". My understanding is that what
> > > > sudo is for.
> > >
> > > sudo is no replacement for su. It's not convenient if you have lots of
> > > commands to run.
> >
> > $ sudo su
> > # uname
> > # cd
> > # ls
> > # ^D
> > $
> >
> > ?
> >
> > Do not be under the misaprehension that sudo limits the commands a user
> > can run as the super-user. It grants super-user access. That's what it
> > does and
>
> Because it does. sudo can be configured to restrict the commands that a
> user can run. Just because your system hasn't been restricted in that
> fashion doesn't mean its not possible.
sudo has got to be the world's easiest facility to get an escalation with.
Far too many utilities could be used to get a full root shell. It's
*possible* to allow a command or two, but I would never assume that a user
with sudo access to any sort of variety of commands couldn't escalate.
--
Dominic Lepiane
"Payday came and with it beer."
-- Rudyard Kipling
.o.
..o
ooo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.linux-sxs.org/pipermail/linux-users/attachments/20060526/12295367/attachment.pgp
More information about the Linux-users
mailing list