Re: root group in solaris : Tools

Mike Kuriger writes:

> sodo provides logging, and commands suck as /bin/sh etc can be put into
> a group in /etc/sudoers and forbidden.  then add users to the wheel
> group who need sudo access.   of course there are ways around the
> forbidden things.  you can be specific with which commands they can run
> so that they don't write shell scripts and run them with sudo to bypass
> the forbidden binaries.



> Cmnd_Alias      SHELLS =        /sbin/sh,\
>                                /bin/sh,/bin/csh,/bin/tcsh,/bin/ksh,\
>                               
> /usr/bin/sh,/usr/bin/csh,/usr/bin/tcsh,/usr/bin/ksh

> Cmnd_Alias      FORBIDDEN =     /bin/passwd root,/bin/su,/sbin/su

> %wheel          ALL =           (ALL) ALL,!SHELLS,!FORBIDDEN

Doesn't help.  If you allow the user to sudo any program that allows them
to shell out (i.e. vi, more) they can get a root shell.

If you need to stop people with sudo access from getting a root shell
you need to have only allow lists, not deny lists.  And, obviously, you
need to be very careful about what programs you allow them.

I did once hack up both vi and more so users couldn't shell out, but
unfortunately that code is long gone.

-- 
Michael T Pins              |   "It is not knowable how long that conflict
mtpins@nndev.org            |   (Iraq) would last.  It could last, you know,
keeper of the nn sources    |   six days, six weeks.  I doubt six months."
ftp://ftp.nndev.org/pub     |   - Donald Rumsfeld, Feb 7, 2003