su: blacklist users

Dominic Lepiane archangel
Fri May 26 12:39:14 PDT 2006 

On May 26, 2006 08:54 am, Tim Wunder wrote:
> On Friday 26 May 2006 11:36 am, Net Llama! wrote:
> > On Fri, 26 May 2006, Dominic Lepiane wrote:
> > > On May 25, 2006 09:04 pm, Man-wai CHANG wrote:
> > > > > So far as I know, the best way to control access to who has access
> > > > > to super-user privileges is with "sudo".  My understanding is that
> > > > > what sudo is for.
> > > >
> > > > sudo is no replacement for su. It's not convenient if you have lots
> > > > of commands to run.
> > >
> > > $ sudo su
> > > # uname
> > > # cd
> > > # ls
> > > # ^D
> > > $
> > >
> > > ?
> > >
> > > Do not be under the misaprehension that sudo limits the commands a user
> > > can run as the super-user.  It grants super-user access.  That's what
> > > it does and
> >
> > Because it does.  sudo can be configured to restrict the commands that a
> > user can run.  Just because your system hasn't been restricted in that
> > fashion doesn't mean its not possible.
>
> Indeed. There are things I've let myself do via sudo that require me to
> enter my password (sudo vi, for example). Other things I can just do,
> without password (sudo yum update, for example). And still other things I
> need to su - to do.
>
> I cannot sudo su on my system.
>
> sudo can largely be configured to be as restrictive, or unrestrictive as
> you want. 'man sudoers'
>
> Tim

Tim and I have had a little discussion.  Words were said, I was upset, but in 
conclusion:

Using sudo for "limited" access DOES NOT WORK, don't listen to Tim.

sudo can be used to grant full root access but nothing less so don't assume it 
does.  That said, if you're in a small single-user environment (e.g. at 
home), sudo can be used to make admin tasks easier, like editing config files 
or installing packages.  Do not do that in multi-user environments.  Please.

-- 
Dominic Lepiane

"Payday came and with it beer."
 --  Rudyard Kipling

  .o.
  ..o
  ooo

P.S. If you have any doubts, please message Tim or I off the list.  Since the 
argument involves an example exploit, I will not post the argument to the 
list and don't think I'll give you the exploits for free either.  I'm not a 
cracker, I'm a *very* concerned system administrator.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.linux-sxs.org/pipermail/linux-users/attachments/20060526/fffefce3/attachment.pgp

More information about the Linux-users mailing list