su: blacklist users
Tim Wunder
tim
Fri May 26 22:39:12 PDT 2006
On Friday 26 May 2006 9:24 pm, Michael Hipp wrote:
> > From: "Dominic Lepiane" <archangel at nibble.bz>
> > Tim and I have had a little discussion. Words were said, I was upset,
> > but in conclusion:
> >
> > Using sudo for "limited" access DOES NOT WORK, don't listen to Tim.
> >
> > sudo can be used to grant full root access but nothing less so don't
> > assume it does. That said, if you're in a small single-user environment
> > (e.g. at home), sudo can be used to make admin tasks easier, like editing
> > config files or installing packages. Do not do that in multi-user
> > environments. Please.
>
> Can you elaborate? Is sharing the root password among multi users somehow
> preferable to using sudo? Or is there some third alternative?
>
Well, the crux of the argument has to do with security via obscurity. Granting
levels of sudo access really doesn't protect your system any more than
granting full sudo access.
You could share root's password among multi users if you want. But then you
lose the logging that sudo provides. The argument Dom and I had was
regarding "limited" sudo access. If you give sudo, it's logically the same as
giving the root password to the user you grant sudo privileges to, as far as
granting the ability to modify your system.
> > P.S. If you have any doubts, please message Tim or I off the list. Since
> > the argument involves an example exploit, I will not post the argument to
> > the list and don't think I'll give you the exploits for free either. I'm
> > not a cracker, I'm a *very* concerned system administrator.
>
> Have you perchance shared this exploit with the authors of sudo?
>
It's not really an "exploit." More like taking things to their logical
conclusion. It'd be interesting to read the opinion of the authors of sudo in
this matter.
Tim
--
Fedora Core release 4 (Stentz), Linux 2.6.16-tim
KDE: 3.5.2-7.0.fc4.kde, xorg-x11-6.8.2-37.FC4.49.2.1
23:00:02 up 1 day, 7:53, 0 users, load average: 0.00, 0.00, 0.00
MP3/OGG archive Total playlength : 8 days, 0 hours, 46 mins 24 seconds
"It's what you learn after you know it all that counts" John Wooden
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://mail.linux-sxs.org/pipermail/linux-users/attachments/20060526/43e0694c/attachment.pgp
More information about the Linux-users
mailing list