su: blacklist users

Dominic Lepiane archangel
Sat May 27 18:19:17 PDT 2006 

On May 26, 2006 09:59 pm, A. Khattri wrote:
> On Fri, 26 May 2006, Tim Wunder wrote:
> > You could share root's password among multi users if you want. But then
> > you lose the logging that sudo provides. The argument Dom and I had was
> > regarding "limited" sudo access. If you give sudo, it's logically the
> > same as giving the root password to the user you grant sudo privileges
> > to, as far as granting the ability to modify your system.
>
> Not sure Im following this correctly: with sudo I can specify which exact
> commands (and only those commands) a user can run as root. But more
> importantly I can specify which command-line argments to those commands
> are NOT allowed.
>
> Example: recently I had a colo server where they wanted to be able to add
> accounts and change passwords. So I setup a command alias in the sudoers
> file that only listed those two commands. I then later in the file
> specify which account can run the command alias and which command aliases
> they cannot run (e.g. they can't change the password of any existing
> accounts, or any system accounts or root or mine, etc etc).
>
> Now I would imagine commands that allow subshells (i.e. vi, more, less,
> etc) might be exploitable. Is this what people are driving at?

Exactly, but any time users are being granted system privileges, you have to 
be aware that they might be able to get full system privileges.  A 
security-conscious administrator should normally assume that a malicious user 
could get full super-user access given any permissions at all from sudo so 
all the additional features of sudo become sadly irrelevant.  But it is still 
useful since you a) don't need to share passwords and b) get some nice 
accounting of who is running commands as root.  Both of which are very 
valuable features which is why I'd still prefer the use of sudo over 
pam_wheel.

-- 
Dominic Lepiane

"It only takes one drink to get me drunk, but I can't remember if it's the 
thirteenth or fourteenth."
 --  George Burns

  .o.
  ..o
  ooo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.linux-sxs.org/pipermail/linux-users/attachments/20060527/3aa0c1cc/attachment.pgp

More information about the Linux-users mailing list