Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Sun
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: root group in solaris

from [Jonathan Leffler] Network Security [Permanent Link]
Subject: Re: root group in solaris
Date: Wed, 27 Sep 2006 09:03:08 -0700 
Tonnerre Lombard <tonnerre.lombard@sygroup.ch> wrote on 09/26/2006 
10:38:40 PM:

On Tue, 2006-09-26 at 17:09 -0700, Jonathan Leffler wrote:

What if one of the commands is /bin/ksh? Or if the person in 

question

runs sudo /bin/ksh?


Download the source (v1.6.3 is available from SourceForge). Try it. 

[...]


This is absolutely clear to me. I was thinking more in the lines of
"Wouldn't that give the user the right to do whatever he wants, even if
he didn't initially get the permission to do it in /etc/sudoers, and
wouldn't that give the user even the right to _change_ /etc/sudoers?"


Sorry - I misunderstood your concern.

Yes, it gives the user permission to do whatever he wants (which isn't 
quite the same as the right to do whatever he wants - but the difference 
would take some explaining).  And yes, as I mentioned, the user could 
change the sudosh log files, and /etc/sudoers, and so on.

I generally take the view that if you can't trust the users with root 
privileges, you are in for a very difficult time - usually stated in the 
more absolute form "root can do anything", where anything includes erasing 
or replacing the o/s (though the reboot can be tricky over a network).  It 
might be over-simplistic as a view; it isn't too far removed from the 
truth.

-- 
Jonathan Leffler (jleffler@us.ibm.com) 
STSM, Informix Database Engineering, IBM Information Management Division 
4100 Bohannon Drive, Menlo Park, CA 94025-1013 
Tel: +1 650-926-6921     Tie-Line: 630-6921 
          "I don't suffer from insanity; I enjoy every minute of it!"
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: root group in solaris : Tools, Tonnerre Lombard
Next by Date:  Re: LDAP in Unix, Stephen Booth
Previous by Thread:  Re: root group in solaris, Tonnerre Lombard
Next by Thread:  Re: root group in solaris :Thankyou, dubaisans dubai
Indexes:  [Date] [Thread] [Top] [All Lists]