su: blacklist users

Michael Hipp michael
Fri May 26 23:21:51 PDT 2006 

> From: "Tim Wunder" <tim at thewunders.org>
> To: "Linux tips and tricks" <linux-users at linux-sxs.org>
> Subject: Re: su: blacklist users
> Date: Fri, 26 May 2006 23:29:49 -0400
> 
> 
> On Friday 26 May 2006 9:24 pm, Michael Hipp wrote:
> > > From: "Dominic Lepiane" <archangel at nibble.bz>
> > > Tim and I have had a little discussion.  Words were said, I was upset,
> > > but in conclusion:
> > >
> > > Using sudo for "limited" access DOES NOT WORK, don't listen to Tim.
> > >
> > > sudo can be used to grant full root access but nothing less so don't
> > > assume it does.  That said, if you're in a small single-user environment
> > > (e.g. at home), sudo can be used to make admin tasks easier, like editing
> > > config files or installing packages.  Do not do that in multi-user
> > > environments.  Please.
> >
> > Can you elaborate? Is sharing the root password among multi users somehow
> > preferable to using sudo? Or is there some third alternative?
> >
> 
> Well, the crux of the argument has to do with security via obscurity. Granting
> levels of sudo access really doesn't protect your system any more than
> granting full sudo access.
> 
> You could share root's password among multi users if you want. But then you
> lose the logging that sudo provides. The argument Dom and I had was
> regarding "limited" sudo access. If you give sudo, it's logically the same as
> giving the root password to the user you grant sudo privileges to, as far as
> granting the ability to modify your system.
> 
> > > P.S. If you have any doubts, please message Tim or I off the list.  Since
> > > the argument involves an example exploit, I will not post the argument to
> > > the list and don't think I'll give you the exploits for free either.  I'm
> > > not a cracker, I'm a *very* concerned system administrator.
> >
> > Have you perchance shared this exploit with the authors of sudo?
> >
> 
> It's not really an "exploit."  More like taking things to their logical
> conclusion. It'd be interesting to read the opinion of the authors of sudo in
> this matter.

So would I.

It would rather surprising if they agreed that the sudoers file should be reduced to a simple list of those who have full root access. All that complexity in the sudoers file - for nothing. Unlikely.

Michael

More information about the Linux-users mailing list